Expert Advice Community

SoA documenting a transferred risk

Created:   Apr 14, 2020 Last commented:   Apr 15, 2020

SoA documenting a transferred risk

Hi, I have a question regarding the SoA and how to document a transferred risk. For instance 12.3.1 information backup. In the risk assessment we have identified that all of our important data is backed up by our suppliers (AWS) Our RTP says that we have transferred this risk to the supplier. In the SOA do we document Control 12.3.1 information backup, as follows: Selected: Yes Implemented: Yes Justification: Transferred to supplier. In this case we would not be creating any additional documents etc as we already have signed up to their agreed terms of data backup. Is this the correct approach to take or should you say that the control is not selected because we are not putting in place any additional policies/agreements from what is already in place? Thank you, Walt

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Apr 15, 2020

Your understanding is correct (you only need the terms of agreement with your suppliers), but your SoA information needs adjustment to be compliant with ISO 27001 because justification requires you to explain why you decided (or not) to apply the control (e.g., because you have (or have not) relevant risks, or legal requirements, demanding the control implementation), while "transferred to supplier" informs how you implemented the control, which is not required by the standard (however, it is a good practice to include this information). So, your SoA statement would be like:

Selected: Yes
Implemented: Yes
Justification: existence of risk XXX / legal requirement YYY demands the implementation of backup
Implementation method (this would be a new field in your SoA): implemented by outsourcing the backup to the supplier.

To see how a Statement of Applicability acceptable by certification auditors looks like, please access this link:

This article will provide you further explanation about Statement of Applicability:

0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 14, 2020

Apr 15, 2020