Get FREE 12-month access to the AI-Powered Knowledge Base worth $450
with your ISO 27001 toolkit purchase
Limited-time offer – ends June 27, 2024

Expert Advice Community

Choose to Not implement a security control

  Quote
LindaK Created:   Jan 16, 2024 Last commented:   Jan 17, 2024

Choose to Not implement a security control

I am a bit conflicted about this and need to hear what you think. I have asked Experta but I am stil not sure. Feels like there must be a clear answer to this. So my question is... can I (according to iso27001) choose to Not implement a security control from annex A even if I can see a risk with not implementing it? If we identify the risk but choose to accept the risk without any mitigating actions. In this case there won't be any risk treatment plans to connect to the Security control. The risk is accepted by the company and we choose Not Implemented and no plans to implement. The risk and security control will be re-evaluated yearly. Is this okay or what should we do with the security control if we only have one or several risks linked to it that are accepted without further actions?

The reason to Not Implement could be that the risk is very very low, very very unlikely and/or would cost more to implement than the consequence of the risk.  

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jan 17, 2024

Please note that you only have to implement a control if at least one of the following occurs:

  • there are one or more relevant risks (i.e., risks you decided not to accept) that to be treated demand the control to be implemented
  • there are legal requirements (e.g., laws, regulations, or contracts) that demand the control to be implemented
  • there is a management decision to implement the control.

If none of the above occurs, you do not need to implement the control.

In case you accept all risks related to a control because they are acceptable according to your risk evaluation criteria (i.e., they are considered too low to treat) or because, as a risk treatment, you decided to accept the risk (e.g., the treatment would cost more to implement than the consequence of the risk), you also do not need to implement the control.

Quote
0 1
LindaK Jan 17, 2024

Well explained! Thank you :) 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 16, 2024

Jan 17, 2024