ISO27001:2013 - 6.1.3 c) - verifying that no controls have been left out
Assign topic to the user
I understand that the policy must dictate that there is a procedure for this, and I have created an entry in the Risk Assessment and Treatment Methodology around this process, however I was wondering if this needed to be evidenced? Would I be required to, for each risk, identify that each control was considered and where it was not selected, why?
Answer:
I have a small correction to your statement - clause 6.1.3 c) of ISO 27001 says "... verify that no necessary controls have been omitted." - therefore you don't have to verify this for each and every risk.
The answer to your question lies in writing the Statement of Applicability - it will enable you:
To decide for each control from the Annex A whether it is applicable or not, and
To declare why you didn't select part icular controls.
Statement of Applicability is a mandatory document, so you'll have everything documented - learn more here: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Jan 12, 2016