Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Exclusion of security controls in Statement of Applicability

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Exclusion of security controls in Statement of Applicability

How many Security controls can be excluded in SOA, if we want to implement them at later stage and what can be the exclusion justification for that?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 12, 2016

Answer: There is no limit for the exclusion of the controls from Statement of Applicability, however I never saw a company which would exclude more than 30 controls. The main criteria for excluding the controls from SoA is that there are no risks nor legislative or contractual requirements that would require such a control. 

If you want to implement those controls at the later stage, there are two ways to do it:

a) You recognize such risk(s) right away, and in your Risk Treatment Plan define that you will implement applicable controls some time in the future, or

b) If the risks  do not exist at the moment, when you do the risk assessment review in the future recognize them then, and at that time start implementing the controls.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics