Guest
Implementation method and status of controls in Statement of Applicability
We are working on completing the SoA and are a bit confused on how best to fill in the implementation method and status. In a number of cases, we have a current method in place to address a control but we don't consider that method to be fully adequate as a control. So we plan in the near future to develop a more extensive control.
Assign topic to the user
For example, for A.9.4.3 Password Management System, we typically use LastPass to store and when necessary share passwords. We do not have a formal Access Control Policy but we plan to develop one in the coming months.
So in a case like this, what should we include in the Implementation Method and Status columns? Should Status reflect that we recognize the current implementation needs to be improved?
Answer:
In this particular case you should write that the implementation method is "Installation of LastPass and writing the Access Control Policy", and your current status would be "Partially implemented." Of course, after you write your Access Control Policy, you would change the status to "Implemented."
Comment as guest or Sign in
Jan 13, 2016
Jan 13, 2016
Jan 13, 2016