Policy and Guidance Documentation Suite for CAS(T)

Created:  25 Jan 2016
Updated:  01 Aug 2016

The policy and guidance documentation suite for CAS(T) has been updated and reissued as:

The Guidance note Update to CAS(T) Assessment Requirements – June 2014 has been superseded and is withdrawn.

All CAS(T) certification, surveillance, special and recertification assessments should use the new documents with immediate effect unless the scope for an assessment using the superseded documents has already been agreed.

As before, the Security Procedures designate each control as critical, mandatory or non-mandatory. The critical controls and associated ISO27001:2005 controls (not a precise mapping) are:

ISO27001:2013

ISO27001:2005

Control

Description

Control

Designation

6.1.1

Information security roles and responsibilities

6.1.3

Critical

9.1.1

Access control policy

11.1.1

Critical

9.2.3

Management of privileged access rights

11.2.2

Mandatory

9.2.6

Removal or adjustment of access rights

8.3.3

Critical

11.1.2

Physical entry controls

9.1.2

Critical

12.1.2

Change management

10.1.2

Critical

12.4.1

Event logging

10.10.2

Critical

12.6.1

Management of technical vulnerabilities

12.6.1

Mandatory

13.1.1

Network controls

10.6.1

Mandatory

13.1.3

Segregation in networks

11.4.5

Mandatory

15.1.3

Information and communication technology supply chain

6.2.1

Critical

18.2.3

Technical compliance review

15.2.2

Critical

 

The critical controls that were formerly mandatory controls must be assessed in the next surveillance or special audit if the associated mandatory control had not previously been assessed.

There is no precise mapping between ISO27001:2005 and ISO27001:2013 controls so there may be some uncertainty about which controls need to be assessed to ensure that all mandatory controls are assessed in the course of the an audit cycle that started with certification under the old Security Procedures. If there is any doubt, CESG will advise which controls must be assessed.

Related Pages

Commodity Information Assurance Services

 

Was this information helpful?

We need your feedback to improve this content.

Yes No