Expert Advice Community

Guest

Is mandatory to implement all 114 controls?

  Quote
Guest
Guest user Created:   Mar 18, 2016 Last commented:   Mar 18, 2016

Is mandatory to implement all 114 controls?

I have a query regarding preparing the SOA on control objectives and controls. We have 114 controls in the Annexure A coming under different sections. Is that mandatory for us to implement controls for each of the items in different sections. Or can we categorize them as the mandatory ones and non-mandatory ones required to get certified? Also how can I document/convince the auditor on why a control is not required for us?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
Antonio Jose Segovia Mar 18, 2016

Answer:
It is not mandatory to implement all 114 controls of Annex A of ISO 27001:2013, you only need to implement those that you need to reduce risks identified during the risk assessment (or those that are related to law, contractual requirements, etc.). In the SOA you need to include the list of controls that apply to your business (in the same order that you can see them in the standard).

Regarding the justification for the auditor, you simply need to show to the auditor that you apply and implement only those controls that you need to reduce risks (or those that are related to law, contractual requirements, etc .)

For more information about the SOA, please read this article “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

And this course can give you more information about the connection between risks and controls "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Finally in our course you can also find more information about the SOA “ISO 27001:2013 Foundations Course” : https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 18, 2016

Mar 18, 2016