Expert Advice Community

Guest

Info about SoA document

  Quote
Guest
Guest user Created:   Nov 19, 2021 Last commented:   Nov 19, 2021

Info about SoA document

Quick question about the "Justification for selection/non-selection" column: I watched the video, and the examples say that there must always be a risk or regulatory reason, couldn't it also be a requirement of the business or ISO itself? For example, could be A.5.1.1 a business requirement to improve market position?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 19, 2021

A third common justification can be “Management decision”, when the management decide they consider a control to be applicable, and this decision can be based on anything they consider important, including business requirements.

If your reason is improving a market position, it would be better to write 'Management decision' instead because marketing is not directly related to security.

For further information, see:
- The importance of Statement of Applicability for ISO 27001 http://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/ 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 19, 2021

Nov 19, 2021

Suggested Topics

Guest user Created:   Jun 10, 2021 ISO 27001 & 22301
Replies: 1
0 0

Question about SoA

Guest user Created:   May 13, 2020 ISO 27001 & 22301
Replies: 1
0 0

Annex controls in SOA