Guest user Created: Dec 04, 2018 Last commented: Dec 04, 2018

Implemented controls

What percentage of controls in SoA you typically see are implemented out of risk assessment ? Organizations usually have lot of controls within 114 already implemented as best practice or due deligence or requirement for legal compliance. Is 25% is what you observe generally? Does that have any value in certification?Like how many controls implemented due to risk mitigation.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Dec 04, 2018

Answer:

Our experience show us that companies typically have ca 80 controls implemented before the start of an ISO 27001 project, and then they have ca 20 to 30 controls to implement during the project.

The quantity of implemented controls does not have a direct impact in the certification, because information security management is about balancing needs and expectations with the level of acceptable risks (similar organizations may have different number of implemented controls and both can be certified).

This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.co m/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

This material will also help you regarding selecting controls:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Dec 04, 2018

Expert Advice Community