After reviewing what we’ve done so far for the ISO27001 implementation, there has been a bit uncertainty about the implementation of ISO controls.
Before starting with ISO27001 we already did a lot of things as secure as possible.
This has been resulting in not a lot of risks in our risk assessment and not many controls stated applicable in the Statement of Applicability.
I read on various articles that the SoA should probably have 80 – 90% of the controls stated applicable, whereas we only have a handful at most.
My question is whether we’re doing this right or might be misinterpreting something. Or perhaps our approach has been inadequate.
So far we’ve identified a few risks, decided which controls we should implement, and implemented those with help from the toolkit and videos. Hopefully you could give us a new perspective and help us find hidden risks.