Expert Advice Community

Guest

Do we need to implement all the controls from SoA for the certification?

  Quote
Guest
Guest user Created:   Aug 26, 2017 Last commented:   Aug 26, 2017

Do we need to implement all the controls from SoA for the certification?

Do we need to implement all the controls from Statement of Applicability for the certification? Any idea regarding the percentage of status of the controls in the SoA that can be “planned”, “partially” or “implemented"?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Dejan Kosutic Aug 26, 2017

Answer: You can leave some of the controls for the implementation for after the certification under the following conditions:
1) That you have implemented before the certification the controls that mitigate the biggest risks - in other words, you can leave only less important controls for after the certification.
2) That you have specified the deadlines for the controls that you will be implementing after the certification in your Risk Treatment Plan - of course, those deadlines must be after the certification date.
3) That your risk owners or top management accept all the risks for which controls have not been implemented before the certification.

This means that the most important controls must have "implemented" status at the certification, while the less important controls can have status "planned" or "partially i mplemented" at the moment of the certification.

See also these articles:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- Risk Treatment Plan and risk treatment process – What’s the difference? Risk Treatment Plan and risk treatment process – What’s the difference?

These materials will also help you regarding Statement of Applicability and the risk management process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course
https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 26, 2017

Aug 26, 2017