The Austin-Healey Experience
www.ahexp.com
those controls to ensure they are fit-for-purpose and business-aligned. Key Takeaways from the Standard: Technical Compliance:
Use the risk register from ISO 27005 to prioritize control assessments. High-risk processes (e.g., remote access, payment systems) should be assessed more frequently and more rigorously.
Every internal audit cycle. If you audit quarterly, use it quarterly. The standard is not a one-time read; it is a reference tool to be consulted before designing any control assessment.
If your goal is to (the supposed purpose of 27008), follow this 3-document stack:
This is a valuable reference table mapping ISO 27002 controls (Annex A of 27001) to practical assessment criteria. For example:
| Source | Link | Format | Cost (approx.) | |--------|------|--------|----------------| | ISO Store | iso.org (for 27007) | PDF + Paper | CHF 118–198 | | ANSI Webstore | webstore.ansi.org | PDF | $120–$180 | | IHS Markit | ihs.com | PDF | Varies | | National body (e.g., BSI, DIN, JSA) | Your country’s ISO member | PDF | ~$100–$200 |
Many scam sites offer “ISO 27008 PDF” with malware. Legitimate PDFs have DRM (watermarking, printing restrictions).