Controls in the SoA that so not show up in the Risk Assessment
We have controls in the SoA that we want to implement, that are not specifically part of the risk assessment table i.e., not used to mitigate a specified threat. However, it still makes sense to implement these controls. Is that ok? Can we have controls in the SoA that are not specifically part of the risk management?
Assign topic to the user
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now 
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
You can consider a control applicable in the SoA even if it is not related to the results of risk assessment and treatment if:
- it is required because a legal requirement (e.g., law, regulation, or contract) demands its implementation
- it is required by top management as a good practice
Comment as guest or Sign in
Aug 29, 2023