Guest user Created: Jan 01, 2019 Last commented: Jan 01, 2019

Filling the Statement of Applicability template

I have an inquiry regarding the Statement of applicability document section 3. Applicability of controls ; why do we have to fill the control objectives column ? and is it mandatory ? if mandatory would you please provide a supporting material or example as the ref. article at the attached form is not helpful.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Jan 01, 2019

Answer:

Control objectives are important for at least two reasons:
1 - They help fulfill clause 6.2 (Information security objectives and planning to achieve them)
2 - They are used during performance evaluation (requirements from clause 9) as reference to decide if the controls are being effective or if adjustments are needed.

It is important to note that:
- Control objectives are not mandatory in the Statement of Applicability (although include them in SoA is a god practice to decrease administrative efforts to manage several documents).
- You do not have to specify objectives for each and every control

A good tip for establish control objectives is to copy the objectives from Annex A (this is acceptable for certification purp oses).
To help you define control objectives I suggest you this article:
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 01, 2019

Expert Advice Community