We've received the following question:
".... for the transition to ISO 27001:2013, my plan aims to have all done in one year but my boss is looking for the reduction of the amount of controls selected as applicable, I like to confirm my ideas, all controls selected in the risk assessment are the ones in the SoA. This is true?"
Answer:
"It is true that risk assessment and treatment determines which controls will be selected as applicable in the Statement of Applicability, however your top management must decide which is the acceptable level of risk.
Therefore, if they set the acceptable level of risk lower, this means that you won't have to implement some of the controls because the related risks will be acceptable. This also means your top management will be responsible if these risks materialize, which is usually not a very wise decision.
Saying that, the SoA shall include at least all the controls from Annex A either applicable or not. Justification must be included to the controls that are not applicable. The justification for not applicable controls is based on risk that your organization is assuming and your top management must be aware of that during the external audit. Auditor needs to be convinced with the justification you provide to each excluded control. Each control in SoA needs to be identified in what risk, or risks is/are applicable.
If you are interested in learning more on Statement of Applicability, see this article: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/"
Thanks
".... for the transition to ISO 27001:2013, my plan aims to have all done in one year but my boss is looking for the reduction of the amount of controls selected as applicable, I like to confirm my ideas, all controls selected in the risk assessment are the ones in the SoA. This is true?"
Answer:
"It is true that risk assessment and treatment determines which controls will be selected as applicable in the Statement of Applicability, however your top management must decide which is the acceptable level of risk.
Therefore, if they set the acceptable level of risk lower, this means that you won't have to implement some of the controls because the related risks will be acceptable. This also means your top management will be responsible if these risks materialize, which is usually not a very wise decision.
Saying that, the SoA shall include at least all the controls from Annex A either applicable or not. Justification must be included to the controls that are not applicable. The justification for not applicable controls is based on risk that your organization is assuming and your top management must be aware of that during the external audit. Auditor needs to be convinced with the justification you provide to each excluded control. Each control in SoA needs to be identified in what risk, or risks is/are applicable.
If you are interested in learning more on Statement of Applicability, see this article: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/"
Thanks
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Comment as guest or Sign in
Jan 12, 2016
Jan 12, 2016
Jan 12, 2016