Zanimljiv Članak o poveznici procjene rizika po standardu ISO 27001:2005 i primjeni kontrola Aneksa A tog standarda – Dr. David Brewer FBCS, Dr. Michael Nash FBCS: “Insights into the ISO/IEC 27001 Annex A”.

Abstract: ISO/IEC 27001 is a specification for an Information Security Management System (ISMS). It contains an annex, Annex A, which catalogues a wide range of controls and other measures relevant to information security. At first view, it appears that all an organisation has to do is select the controls that it believes that it needs from this catalogue. However, there is a requirement to carry out a risk assessment. The purpose of this is to identify the controls that are actually required. Over the years arguments have raged between the users of ISO/IEC 27001as to the relative importance and relationship between these two requirements. This paper reports on research carried out by Gamma Secure Systems Limited (Gamma) over the period January 2007 to December 2010 to investigate the relationship between these two requirements. We discover that if an organisation wishes merely to ensure coverage of the Annex A controls then the scope of the risk assessment is highly constrained. Indeed, we discover that it is possible to generate a small set of templates that once completed will fulfil the risk assessment requirements of the standard and guarantee coverage of the Annex A controls, whilst not necessarily providing a risk assessment that adequately addresses the organisation’s real exposure.

Cijelom ?lanku mo