thank you for your helpful answer and advise. Beside would you mind answering another question? This would be so kind of you. Now I'm filling the document "Statement of Applicability". I kind of stuck a bit in column "Reason for choosing / Reason for exclusion". I mean I read Dejan's note that this gap is all about the results of the risk assessment and the contractual and legal obligations. But some controls our risk assessment didn't even touch. I know that we have to have a guideline above all. But whats the reason for choosing? (Cause we want to have the certificate. ;)) I wrote for now: "protection of information against internal and external threats, intentional and accidental." Or is it better if you realize the control to write ALWAYS (the same): "based on the results of the risk assessment, the contractual and legal obligations".
Answer: If your risk assessment does not identify risks that justify the applicability of a control, then you should look for clauses on laws, contracts or standards you have to follow tha t may demand the application of such controls. I this case you may state "control applicable to comply with law/contract XXXX, clause YYYY".
If you still do not find legal requirements to justify controls applicability, you can state "Control applicable because of a Top Management decision to follow industry/market best practices", or "Control applicable because of a Top Management decision to support a business objective".
You should note that you will hardly use the last examples (based on top management decision), because generally there will be risks or legal clauses to support a controls applicability.
This article will provide you further explanation about SOA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Aug 04, 2018