Annex A Applicability

Working on the Statement of Applicability as your starting point is not a good approach, because it only documents the results of previous efforts.

According to the ISO 27001, to understand which of the 114 controls are going to be necessary you need to perform the identification of applicable legal requirements and a risk assessment and treatment process.

The identification of legal requirements will help you identify laws, regulations, and contracts that demand the implementation of controls and the risk assessment and treatment will help you identify which controls you need to implement to handle the most relevant risks.

These articles will provide you a further explanation about ISO 27001 and application of controls:

• What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/

These materials will also help you regarding ISO 27001 and application of controls:

• Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
• Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/