Controls in SoA
Assign topic to the user
Answer:
First it is important to understand that any control from ISO 27001 Annex A is mandatory only if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.
If none of the above conditions happen, there is no need to implement a control, and based on this situation the auditor will consider the SoA acceptable for certification.
By the way, by our experience a certified ISMS generally implements up to 100 from the 114 controls listed on ISO 27001 Annex A.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Jun 03, 2019