In a document audit (stage 1) of your ISO27001, it was remarked as a minor non-conformity that we have excluded controls in the SoA (with reason, that we, for example, do not have/use test data in our company (A.14.3.1)). The auditor said, that we still should have applied the control but not implemented it. For me, this is a distinction without a difference. Now we have to apply the control and write in the “Implementation Method” of the control (in SoA) that we have not implemented it due to no test data used in the company. What is your opinion on this?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that there is a difference between application and implementation. Applicability refers to the existence or not of risks or legal requirements demanding control implementation, while implementation refers to the control being implemented or not. So you can have an applicable control that may not be implemented yet (e.g., when the applicable control requires the implementation of equipment that needs to be bought).
If there are no risks or legal requirements demanding a control implementation, you do not need to apply the control and state it as not implemented in the SoA. You simply can state the control is not applicable (a justification could be that there are no risks that need to be treated with this control). In your example, if you do not have/use test data, there will be no risks that will require control A.14.31, so you can simply state the control as non-applicable.
Comment as guest or Sign in
Aug 08, 2020