Applicability of controls
Assign topic to the user
Answer: A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control
If none of these occurs there is no need to implement a control considering ISO 27001 requirements (what occurs in fact is that hardly one of these won't happen regarding incident management - is extremely rare that a company does not have any control from section A.16). Since you did not provide the justification for exclusion in your documen t it is not possible to evaluate is the exclusion acceptable or not (at the beginning of the document, about control A.6.1.1, there is a comment about the same issue - justification for inclusion/exclusion).
This article will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Comment as guest or Sign in
Feb 13, 2018