Guest
Guest
Create New Topic As guest or Sign in
Assign topic to the user
-
How comprehensive and specific should we describe the implementation methods in SoA?
Hi, I still struggle with the SoA. I know it's not mandatory to describe the implementation methods which is practical if I don't yet know what specific measures we want to implement. But in the next step (risk treatment plan), I have to provide information on human, financial and technological resources. This is only possible if we know fairly precisely how implementation is to take place.
Isn't it better to describe the implementation in more detail? But what does that look like? For example, we have a project for log obfuscating that has been started but is not yet finished. It fits in with control 8.11 Data Masking. Do we then mention the project in Implementation at 8.11?
What do we do with the controls that we don't yet know how to implement but think are important? Only mention a policy that we will write, or a task that we need to re-work an existing policy?
What do we do if we later realize that we need to implement technical measures? -
Filling SoA
I already used risk ID's inside the SoA template and wrote down „Risk #8, #10, #38“ for example. I did it like Dejan’s video tutorial said. But control A.12.6.1 includes (in my opinion) almost any risks out of the risk assessment table and I would like to write a general statement for „reason for selection / exclusion“ instead of writing each risk ID down. Is this possible? I did it for some other controls inside the SoA already too.