Get 4 FREE months of Conformio to implement ISO 27001

Expert Advice Community

Guest

Controls in the SoA that so not show up in the Risk Assessment

  Quote
Guest
Guest user Created:   Aug 29, 2023 Last commented:   Aug 29, 2023

Controls in the SoA that so not show up in the Risk Assessment

We have controls in the SoA that we want to implement, that are not specifically part of the risk assessment table i.e., not used to mitigate a specified threat. However, it still makes sense to implement these controls. Is that ok? Can we have controls in the SoA that are not specifically part of the risk management?

0 0

Assign topic to the user

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

Expert
Rhand Leal Aug 29, 2023

You can consider a control applicable in the SoA even if it is not related to the results of risk assessment and treatment if:

  • it is required because a legal requirement (e.g., law, regulation, or contract) demands its implementation
  • it is required by top management as a good practice
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 29, 2023

Aug 29, 2023

Suggested Topics