Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 9001 toolkit purchase
Limited-time offer – ends June 27, 2024

Tag: "Annex A controls" - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • Residual Risk Calculations

    Hi, I understand that the conformio software auto calculates the residual risk after controls are added. so 2 questions:

    1. What is the recommended base for controls? Is more better as in comprehensively covered or the minimum to reduce the resdiual risk?

    2. Do we assume that the controls reduces the impact rating? I'm unsure of how that will happen. Can you please explain? For example - Desktop Computers > Downloads from internet not controlled > Infections with malicious software > Controls choosen are: A.5.7, A.5.10, A.5.17, A.5.24, A.5.25, A.5.26, A.5.27, A.5.28, A.5.37, A.6.1, A.6.2, A.6.3, A.6.4, A.6.8, A.8.7, A.8.19, A.8.21

    The residual risk is now 0 but I don't understand how the Impact is reduced to 0 with these. Please help.


  • A.18.1.1 Identification of applicable legislation and contractual requirements

    A.18.1.1 is good to go (just reference the policy and note that due to sensitivity and attorney client privildge, the policy was retained)


    To satisfy the control, is it enough for an organization to just state that they identify & manage the relevant legislative statutory, regulatory, contractual requirements in their information security policy document? I am trying to understand if other evidence like a separate defined list of laws or at least an email from their legal department is absolutely necessary to fulfill it. For context, what if the organization has stated that "due to sensitivity and attorney client privildge" they would not share anything more than that first statement to reference? Thank you.

  • Statement Of Applicability

    Is there a rule of thumb (or best practice) as to how many controls from Annex A need to be sustained in the SOA (for smaller companies, i.e. 50-100 employees)?