Chat with Experta

User
Does ISO 27001 Annex A specify how each security control needs to be implemented?
Experta
ISO 27001 does not specify the details of each control because the standard is written in a way that enables it to be implemented in any type or size of organization.

What ISO 27001 does specify is that you have to perform your risk assessment thoroughly, and select the controls based on the results of the risk assessment, deciding how to implement those controls based on the risks and resources you have.

Examples:
Control A.8.13 Information backup does not specify which technologies to use for backups, nor does it specify how often to perform them or how to check that they can be restored successfully. The backups that are appropriate to, say, a large international bank will be rather different for a small shop or a government's treasury department - and even for a comparably-sized competitor bank. There is far too much variety to cover all possibilities, except in very general terms.