Your SlideShare is downloading. ×
0
Mark E S Bernard ISO 27001 2013 Discretionary versus Mandatory
Mark E S Bernard ISO 27001 2013 Discretionary versus Mandatory
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Mark E S Bernard ISO 27001 2013 Discretionary versus Mandatory

1,335

Published on

Mark E S Bernard ISO 27001 2013 Discretionary versus Mandatory

Mark E S Bernard ISO 27001 2013 Discretionary versus Mandatory

Published in: Business
2 Comments
5 Likes
Statistics
Notes
No Downloads
Views
Total Views
1,335
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
113
Comments
2
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Page: 1 of 2 The importance of mandatory clauses is punctuated by the fact that during ISMS audits if the auditor discovers that any single one of the mandatory clauses are not supported by evidence, missing or is deemed ineffective it is considered a major non-conformity. What does this mean This is reason enough for the auditor not to recommended the organization for registration /certification. In the event that the audit is part of the ongoing continuous assessment review the organization could be decertified. Its that important! Clauses 4 – 10 require a gap assessment initially to identify the delta. Zero exclusions are permitted and that’s why a GAP Assessment is the best approach.
  • 2. *** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS *** Page: 2 of 2 Within Annex A a series of control objectives have been listed. These control objectives have been designed to address specific known risks. These controls are initially risk assessed during implementation /adoption for fit within each individual organization. The risk assessment provides evidence for applicability and /or justification for exclusion. The results are listed within the Statement of Applicability (SoA) following approval by the ISMS Governance Committee. The SoA is a controlled document that gets included with the Registration Auditors recommendations which the auditor submits to ISO for final gating and approval. During the ISMS internal and external audits if a weaknesses is discovered within the controls it will require a corrective action plan and /or preventive action (CAPA) plan. The CAPA is listed within the Risk Treatment Plan and monitored until completed and then validated before its formally closed. Please note that while a single weakness may be tolerated a cluster of failed controls within the same domain will result in a major nonconformity and potential decertification.

×