Guest user Created: Jan 13, 2016 Last commented: Jan 13, 2016

Implementation method and status of controls in Statement of Applicability

We are working on completing the SoA and are a bit confused on how best to fill in the implementation method and status. In a number of cases, we have a current method in place to address a control but we don't consider that method to be fully adequate as a control. So we plan in the near future to develop a more extensive control.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 13, 2016

For example, for A.9.4.3 Password Management System, we typically use LastPass to store and when necessary share passwords. We do not have a formal Access Control Policy but we plan to develop one in the coming months.

So in a case like this, what should we include in the Implementation Method and Status columns? Should Status reflect that we recognize the current implementation needs to be improved?

Answer:

In this particular case you should write that the implementation method is "Installation of LastPass and writing the Access Control Policy", and your current status would be "Partially implemented." Of course, after you write your Access Control Policy, you would change the status to "Implemented."

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 13, 2016

Expert Advice Community