Exclusion of security controls in Statement of Applicability
Assign topic to the user
Answer: There is no limit for the exclusion of the controls from Statement of Applicability, however I never saw a company which would exclude more than 30 controls. The main criteria for excluding the controls from SoA is that there are no risks nor legislative or contractual requirements that would require such a control.
If you want to implement those controls at the later stage, there are two ways to do it:
a) You recognize such risk(s) right away, and in your Risk Treatment Plan define that you will implement applicable controls some time in the future, or
b) If the risks do not exist at the moment, when you do the risk assessment review in the future recognize them then, and at that time start implementing the controls.
Comment as guest or Sign in
Jan 12, 2016