Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Implementation method and status of controls in Statement of Applicability

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Implementation method and status of controls in Statement of Applicability

We are working on completing the SoA and are a bit confused on how best to fill in the implementation method and status.  In a number of cases, we have a current method in place to address a control but we don't consider that method to be fully adequate as a control.  So we plan in the near future to develop a more extensive control.  
0 0

Assign topic to the user

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

ISO 27001 RISK TREATMENT PLAN

Determine responsibilities for the implementation of controls.

Guest
DejanK Jan 13, 2016

For example, for A.9.4.3 Password Management System, we typically use LastPass to store and when necessary share passwords.  We do not have a formal Access Control Policy but we plan to develop one in the coming months.

So in a case like this, what should we include in the Implementation Method and Status columns? Should Status reflect that we recognize the current implementation needs to be improved?

Answer:

In this particular case you should write that the implementation method is "Installation of LastPass and writing the Access Control Policy", and your current status would be "Partially implemented." Of course, after you write your Access Control Policy, you would change the status to "Implemented."
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 13, 2016

Jan 13, 2016

Suggested Topics