Please select user.Assign
There are no topics yet.
I have a question regarding the SoA and how to document a transferred risk. For instance 12.3.1 information backup.
In the risk assessment we have identified that all of our important data is backed up by our suppliers (AWS)
Our RTP says that we have transferred this risk to the supplier.
In the SOA do we document Control 12.3.1 information backup, as follows:
Justification: Transferred to supplier.
In this case we would not be creating any additional documents etc as we already have signed up to their agreed terms of data backup.
Is this the correct approach to take or should you say that the control is not selected because we are not putting in place any additional policies/agreements from what is already in place?