Limited-time offer
Lock in 2024 prices now for ISO 27001 toolkits, course exams, and software!
This offer is valid until December 19, 2024.

Expert Advice Community

Guest

Controls in SoA

  Quote
Guest
Guest user Created:   Jun 03, 2019 Last commented:   Jun 03, 2019

Controls in SoA

I'm wondering in the statement of applicability, in order to get certified is it mandatory to implement almost all of the controls? Like if I exclude half of the controls because they aren't identified in the risk assessment, is the auditor going to say that isn't acceptable?
0 0

Assign topic to the user

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

Expert
Rhand Leal Jun 03, 2019

Answer:

First it is important to understand that any control from ISO 27001 Annex A is mandatory only if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.

If none of the above conditions happen, there is no need to implement a control, and based on this situation the auditor will consider the SoA acceptable for certification.

By the way, by our experience a certified ISMS generally implements up to 100 from the 114 controls listed on ISO 27001 Annex A.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 03, 2019

Jun 03, 2019

Suggested Topics

Guest user Created:   May 13, 2020 ISO 27001 & 22301
Replies: 1
0 0

Annex controls in SOA

Guest post Created:   Jan 12, 2016 ISO 27001 & 22301
Replies: 1
0 0

Controls in SoA