...
ISO/IEC 27001:2013 Annex A can be overwhelming both ourselves as information security practitioners but also to our colleagues. It can appear to be a very technical and bureaucratic listing of things that must be done with no relationship with the organisation's objectives, activities, and risks. You should think about how you present controls within your organisation. It could be a idea to group your selected controls by
- Activities: running a data centre, operating a network, administering a server
- Risks: fire, theft, hacking, malware
- Business units: financial, human resources, operations
Effectiveness
Your selection of controls must be practical for your organisation and staff to implement and understand, otherwise they will not be effective. You should think about how you will monitor and measure the controls as set out in section 9 of the standard.
...