Identification of justifications for SoA
In the Document 06_Statement of Applicability, in the Column below in “Justification for selection/non Selection in SOA” how can we identify that whether the selection of a control is based on Risk Assessment results, contractual or legal obligation?
Assign topic to the user
https://advisera.zendesk.com/attachments/token/0Sa3NH86A9WJA1S9njTfJrTuc/?name=image001.png
When the justification for control applicability is related to risk assessment results, you can identify the Id of the related risks (e.g., results of last risk assessment ID 32, ID 17, and ID 23). As for contractual or legal obligation, you can identify the name of the obligation (e.g., name of the law or ID of the contract), and the clauses related to the control.
Included in the toolkit you bought you also have access to a video tutorial that can help you fill the Statement of Applicability.
This article will provide you a further explanation about Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Jan 06, 2020