Guest user Created: Nov 11, 2016 Last commented: Nov 11, 2016

ISO 27001 Annex A controls and the Statement of Applicability

We have a new ISO27001 auditor who tells us that we must have all of the controls included in our SOA. We have excluded some controls, which he is now going to issue us a finding for not having them in place. Does ISO "require" that we include all controls?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Nov 11, 2016

Answer: According to ISO 27001:2013, clause 6.1.3.d, all the 114 controls described in the Annex A must be listed in SoA. The controls which are not needed, because there are no related risks or requirements of interested parties to justify their implementation, can be marked as non applicable.

This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your
Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Nov 11, 2016

Expert Advice Community