A number of controls can be considered as a good starting point for implementing information
security. They are either based on essential legislative requirements or considered to be common
practice for information security.
Controls considered to be essential to an organization from a legislative point of view include,
depending on applicable legislation:
a) data protection and privacy of personal information (see 15.1.4);
b) protection of organizational records (see 15.1.3);
c) intellectual property rights (see 15.1.2).
Controls considered to be common practice for information security include:
a) information security policy document (see 5.1.1);
b) allocation of information security responsibilities (see 6.1.3);
c) information security awareness, education, and training (see 8.2.2);
d) correct processing in applications (see 12.2);
e) technical vulnerability management (see 12.6);
f) business continuity management (see 14);
g) management of information security incidents and improvements (see 13.2).
These controls apply to most organizations and in most environments.
It should be noted that although all controls in this standard are important and should be considered,
the relevance of any control should be determined in the light of the specific risks an organization is
facing. Hence, although the above approach is considered a good starting point, it does not replace
selection of controls based on a risk assessment.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment