Back to M2.3.2 - P1- IDENTIFICATION OF CONTROLS
Controls should be identified to manage the risks, based on the identified risk treatment option(s). It is important to specify the relation between the risks and the identified controls, this relation is important for the ongoing risk management and should be documented in the risk treatment plan.
The first basis of control identification should be this Standard, which suggests a set of “risk-based applicable” controls that addresses a lot of the common information security risks. Sector-specific controls should be identified to support the specific needs of the entity within its sector.
The entity should also identify controls that are required for risk management and not documented in this Standard. It is likely that such controls exist as an entity has risks specific to its business and its way to operate, and the identification of additional controls completes the controls for information security risk management.
The entity should compile a list of controls which have been identified to produce a Statement of Applicability (refer to M2.3.4 - P1- STATEMENT OF APPLICABILITY ). It might be that the Statement of Applicability (refer to Implementation Guidance of M2.3.4 - P1- STATEMENT OF APPLICABILITY ) leads to a revision of the identified controls. This is the intention of producing the Statement of Applicability, it is supposed to act as a safety net that ensures that no impotent control has been overlooked.
It is important to be aware of that the list of identified controls is very likely to contain sensitive information. Therefore, appropriate care should be taken when making the summary of controls available to both internal and external recipients.
