SoA and selection of controls
I have a question about SoA and selection of controls:
If control is selected as applicable in which extent the control is required to implement?
For example: if control A.9.4.3 Password management system is selected as applicable is it required to implement to every single system/application in the Company or is it enough to implement it according to assessed need (based on assessed risks and other relevant information concerning the systems/applications)?
Assign topic to the user
You have to implement a control only to the extent it reduces related risks to acceptable levels and ensures legal requirements (e.g., laws, regulations, or contracts) are fulfilled.
This article will provide you a further explanation about risk treatment:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
These materials will also help you regarding risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
May 13, 2020