I already used risk ID's inside the SoA template and wrote down „Risk #8, #10, #38“ for example. I did it like Dejan’s video tutorial said. But control A.12.6.1 includes (in my opinion) almost any risks out of the risk assessment table and I would like to write a general statement for „reason for selection / exclusion“ instead of writing each risk ID down. Is this possible? I did it for some other controls inside the SoA already too.
Assign topic to the user
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now 
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
Answer:
In this case (when you have a large number of risks to refer in the SoA) I suggest you to list in the SoA only the IDs of the 3 or 4 most critical risks related to this control and inform the quantity of other risks that justify the application of this control that can be found in the results of risk assessment. See this example:
"Risks #3, #18, #27, and 23 other risks that can be found in the results of risk assessment."
Comment as guest or Sign in
Sep 10, 2019