Guest user Created: Nov 27, 2018 Last commented: Nov 27, 2018

Controls application

Quick question, does ISO 27001 looks for one to one mapping of risks vs controls in SOA or I could come up with 1 risk in assessment and use 3 to 4 controls to mitigate risk? from SOA?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Nov 27, 2018

Answer:

ISO 27001 does not prescribe how many controls you must use to treat a risk, so you can use as many controls as you see is proper for your organizations (the applicable controls will have to be stated as such on the SoA. It is important to note that while applying multiple controls can significantly decrease a risk, it will also require more administrative effort, and these controls may also introduce new risks, so this approach should balance security with effort and new risks.

This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Nov 27, 2018

Expert Advice Community