Implementation of controls

Answer: A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control

If none of these occurs there is no need to implement a control considering ISO 27001 requirements.

These articles will provide you further explanation about risk assessment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-bas ic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

We received this question:

>Can you also let me know if I decide to implement a control from Annex A, does that mean that we have to implement all the requirements for that control from the ISO 27002 standard ?

Answer: Most of ISO 27002 text is written as "you should...", meaning that you only have to implement some items if you identify a need to do that (based on the results of your risk assessment). So, for some controls you may have to implement all items, while for others you have to implement only a few of them.