Once security requirements and risks have been identified and decisions for the treatment of risks
have been made, appropriate controls should be selected and implemented to ensure risks are reduced
to an acceptable level. Controls can be selected from this standard or from other control sets, or new
controls can be designed to meet specific needs as appropriate. The selection of security controls is
dependent upon organizational decisions based on the criteria for risk acceptance, risk treatment
options, and the general risk management approach applied to the organization, and should also be
subject to all relevant national and international legislation and regulations.
Some of the controls in this standard can be considered as guiding principles for information security
management and applicable for most organizations. They are explained in more detail below under the
heading “Information security starting point”.
More information about selecting controls and other risk treatment options can be found in clause 4.2
"Treating security risks".
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment