Justifications in the SoA
SoA > Can "Mandatory according to iSO27001 or GDPR" be a valid justification or does it have to be a specific risk?
Assign topic to the user
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now 
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
A control from ISO 27001 Annex A can be applicable based on these general justifications:
- There are unacceptable risks which treatment requires the control implementation
- There are legal requirements which demands the control implementation
- There is a top management decision requiring the control implementation
Considering that, it is acceptable by ISO 27001 to justify the applicability of a control as required by GDPR, but not to use the ISO 27001 as justification, because it does not require any control to be implemented (for the standard, the implementation is defined by the above-mentioned conditions).
This article will provide you further explanation about controls selection:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Nov 12, 2019