CyberSecurity's Conformity Matrix

770
-1

Published on

CyberSecurity's Conformity Matrix

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
770
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

CyberSecurity's Conformity Matrix

  1. 1. This information has been shared freely by Mark E.S. Bernard. If you find it useful please acknowledge this contribution. If you would like additional information or assistance with the customization and implementation of a balanced risk management process for your security program then please contact Mark @ 604-349-6557 or mesbernard@gmail.com The CyberSecurity Framework based on ISO/IEC 27001:2013 has two sets of controls, one considered to be mandatory outlined in table “A” provides the overarching management system. The second set of controls can be risk justified in or out of scope for the CyberSecurity Program. These controls are shown in table “B” below. Table “B” is based on control objectives documented in Annex ‘A’. More details describing these control points are available in supplementary standard documents like ISO/IEC 27002:2013. Below I have provided a high-level summary of each section within a table format known in Quality Management as the Conformity Matrix. This document is very similar to a GAP Assessment. During the implementation and adoption of ISO 27001 I identify business process owners and walk through each control to clarify accountability, location of evidence if any. This table will help to clarify governance and set the stage for the next step the risk assessment. Table “A” Mandatory ISO 27001 Control Points There are 148 control points failure to meet any single control point is considered a major nonconformity and grounds for decertification and during adoption any organization missing any one of these control points will not be recommended for registration /certification. Table “B” Discretionary ISO 27001 Annex “A” Control Objectives Conformity with the following Control Objectives will need to be documented for scoping and integration purposes. These controls are not mandatory and can be risk justified in or out of scope, but the selection of controls objectives must meet the scope of information handling as it pertains to the scope statement and business reasons for adopting ISO 27001.

×