Tag: "SoA documenting" - Expert Advice Community



Create New Topic As guest or Sign in

HTML tags are not allowed

Assign topic to the user

  • SoA documenting a transferred risk


    I have a question regarding the SoA and how to document a transferred risk. For instance 12.3.1 information backup.

    In the risk assessment we have identified that all of our important data is backed up by our suppliers (AWS) 

    Our RTP says that we have transferred this risk to the supplier.

    In the SOA do we document Control 12.3.1 information backup, as follows:

    Selected: Yes

    Implemented: Yes

    Justification: Transferred to supplier.

    In this case we would not be creating any additional documents etc as we already have signed up to their agreed terms of data backup.

    Is this the correct approach to take or should you say that the control is not selected because we are not putting in place any additional policies/agreements from what is already in place?

    Thank you,