I am a bit conflicted about this and need to hear what you think. I have asked Experta but I am stil not sure. Feels like there must be a clear answer to this. So my question is... can I (according to iso27001) choose to Not implement a security control from annex A even if I can see a risk with not implementing it? If we identify the risk but choose to accept the risk without any mitigating actions. In this case there won't be any risk treatment plans to connect to the Security control. The risk is accepted by the company and we choose Not Implemented and no plans to implement. The risk and security control will be re-evaluated yearly. Is this okay or what should we do with the security control if we only have one or several risks linked to it that are accepted without further actions?
The reason to Not Implement could be that the risk is very very low, very very unlikely and/or would cost more to implement than the consequence of the risk.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that you only have to implement a control if at least one of the following occurs:
- there are one or more relevant risks (i.e., risks you decided not to accept) that to be treated demand the control to be implemented
- there are legal requirements (e.g., laws, regulations, or contracts) that demand the control to be implemented
- there is a management decision to implement the control.
If none of the above occurs, you do not need to implement the control.
In case you accept all risks related to a control because they are acceptable according to your risk evaluation criteria (i.e., they are considered too low to treat) or because, as a risk treatment, you decided to accept the risk (e.g., the treatment would cost more to implement than the consequence of the risk), you also do not need to implement the control.
Comment as guest or Sign in
Jan 17, 2024