Expert Advice Community

Guest

Adding new control to SoA after audit

  Quote
Guest
Guest user Created:   Dec 07, 2020 Last commented:   Dec 07, 2020

Adding new control to SoA after audit

hi can I add a new control to SoA after certification and before surveillance audit

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Dec 07, 2020

Adding, changing, or excluding a control from SoA is a natural and necessary thing to maintain the ISMS.

To do that, considering the requirements of the standard, you need to review your risk assessment and risk treatment, and your list of applicable legal requirements, to verify if there is any change in your context that can justify a change in SoA. Additionally, you need to check if there is any management decision to implement a control (in such cases there will be no changes in risk management nor in legal requirements).

Once a need for change is identified, you need to define an implementation plan to perform the change.

These articles will provide you a further explanation about SoA:

The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Dec 07, 2020

Dec 07, 2020