Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Control objectives in the Statement of Applicability

  Quote
Guest
Guest user Created:   Apr 06, 2016 Last commented:   Apr 06, 2016

Control objectives in the Statement of Applicability

I have a question specific to completing the SoA, and the table in Section 3: Applicability of Controls. I'm clear on all of the columns except one: "Control Objectives". I feel like I want to copy/paste the same text all the way down: "Control risk exposure" ! But that doesn't feel quite right :) Have you any suggestions?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Apr 06, 2016

Answer:

Control objectives are specific description of what you want to achieve with particular control - e.g. for backup, the objective might be "We want to achieve the loss of data of maximum 6 hours." Too see detailed explanation, read this article: ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

ISO 27001 doesn't require you to list objectives for each control - you can specify objectives for group of controls, you can specify objectives for your processes, or any other way you feel is appropriate for your company. Further, you don't have to specify objectives in the Statement of Applicability - you can us e some other document for this purpose.

However, we felt that listing objectives next to each control in SoA is the most practical solution. If you want to make it really easy, you can copy the objectives for groups of controls from the standard itself (Annex A of ISO 27001.)

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 06, 2016

Apr 06, 2016

Suggested Topics