Questions about ISO 27001

1. Do I need to put a justification if I didn't choose any of Annex A controls?

ISO 27001 requires a justification not only for every control from Annex A deemed as applicable but also for not applying controls. This is so to ensure that all controls where considered and that there are conscious reasons to not use controls deemed as not applicable.

For further information, see:

• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. If one of control is applicable but some of that control content are not, Does I need to put justification on each point? Example: in code of practice, A.9.1.1 there's points from a to k if point J, K are not applicable shall I need to add a justification for not choosing them?

If I understood you correctly, you are mentioning the content of ISO 27002, a supporting standard for implementation of ISO 27001.

Considering that, please note that justifications are only related to ISO 27001 Annex A, which mentions only control objectives and a general description of the control (not details from ISO 27002). This way, you do not need to justify if only part of the recommendations from ISO 27002 are applied.

For further information, see:

• ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/

3. if I wrote the access control policy and my scope is cloud and applications running on the cloud, and there is point in the policy applicable to some of the applications but not applicable to the rest should I add a justification for this?

Please note that the risk assessment results will provide the necessary justification for applying an access control policy to some applications and not for others (i.e., risks for some applications are deemed unacceptable and will be treated by means of an access control policy, while other applications will not have risks requiring the application of this control).

For further information, see:

• How to handle access control according to ISO 27001 https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/

4. how can I identify controls and consequences in Risk identification?

Please note that controls are identified during risk treatment after you have identified the risks.

Regarding the identification of consequences, when using the asset-threat-vulnerability approach, you should consider the participation of personnel with knowledge on the asset, in the environment where it operates, and which depends on the asset. These are the most capable people to identify what can happen if the asset is compromised.

For further information, see:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• How to assess consequences and likelihood in ISO 27001 risk analysis https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#assessment

These materials will also help you regarding risk assessment and risk treatment:

• The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
• Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/