Control objectives in the Statement of Applicability
Assign topic to the user
Answer:
Control objectives are specific description of what you want to achieve with particular control - e.g. for backup, the objective might be "We want to achieve the loss of data of maximum 6 hours." Too see detailed explanation, read this article: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/
ISO 27001 doesn't require you to list objectives for each control - you can specify objectives for group of controls, you can specify objectives for your processes, or any other way you feel is appropriate for your company. Further, you don't have to specify objectives in the Statement of Applicability - you can us e some other document for this purpose.
However, we felt that listing objectives next to each control in SoA is the most practical solution. If you want to make it really easy, you can copy the objectives for groups of controls from the standard itself (Annex A of ISO 27001.)
Comment as guest or Sign in
Apr 06, 2016