Guest user Created: Jun 03, 2019 Last commented: Jun 03, 2019

Controls in SoA

I'm wondering in the statement of applicability, in order to get certified is it mandatory to implement almost all of the controls? Like if I exclude half of the controls because they aren't identified in the risk assessment, is the auditor going to say that isn't acceptable?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jun 03, 2019

Answer:

First it is important to understand that any control from ISO 27001 Annex A is mandatory only if at least one of the following occurs:
- There are unacceptable risks that justify the application of the control
- There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
- There is a management decision to implement the control, by considering it as good practice.

If none of the above conditions happen, there is no need to implement a control, and based on this situation the auditor will consider the SoA acceptable for certification.

By the way, by our experience a certified ISMS generally implements up to 100 from the 114 controls listed on ISO 27001 Annex A.

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 03, 2019

Expert Advice Community

Controls in SoA

Controls in SoA

Assign topic to the user

Comment as guest or Sign in

Suggested Topics

Including SOC 2 controls in SoA

Annex controls in SOA

Controls in SoA