Guest
Controls in the SoA that so not show up in the Risk Assessment
We have controls in the SoA that we want to implement, that are not specifically part of the risk assessment table i.e., not used to mitigate a specified threat. However, it still makes sense to implement these controls. Is that ok? Can we have controls in the SoA that are not specifically part of the risk management?
Assign topic to the user
Expert
Rhand Leal
Aug 29, 2023
You can consider a control applicable in the SoA even if it is not related to the results of risk assessment and treatment if:
- it is required because a legal requirement (e.g., law, regulation, or contract) demands its implementation
- it is required by top management as a good practice
Comment as guest or Sign in
Aug 29, 2023
Aug 29, 2023
Aug 29, 2023