Is mandatory to implement all 114 controls?
Assign topic to the user
Answer:
It is not mandatory to implement all 114 controls of Annex A of ISO 27001:2013, you only need to implement those that you need to reduce risks identified during the risk assessment (or those that are related to law, contractual requirements, etc.). In the SOA you need to include the list of controls that apply to your business (in the same order that you can see them in the standard).
Regarding the justification for the auditor, you simply need to show to the auditor that you apply and implement only those controls that you need to reduce risks (or those that are related to law, contractual requirements, etc .)
For more information about the SOA, please read this article “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
And this course can give you more information about the connection between risks and controls "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Finally in our course you can also find more information about the SOA “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Mar 18, 2016