Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

ISO27001:2013 - 6.1.3 c) - verifying that no controls have been left out

I have a question about section 6.1.3 of the ISO 27001:2013 standard. I have successfully completed the selection of controls for each risk in the organisation but this section of the standard mentions verifying that no controls have been left out for any given risk.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

I understand that the policy must dictate that there is a procedure for this, and I have created an entry in the Risk Assessment and Treatment Methodology around this process, however I was wondering if this needed to be evidenced? Would I be required to, for each risk, identify that each control was considered and where it was not selected, why?

Answer:

I have a small correction to your statement - clause 6.1.3 c) of ISO 27001 says "... verify that no necessary controls have been omitted." - therefore you don't have to verify this for each and every risk.

The answer to your question lies in writing the Statement of Applicability - it will enable you:

To decide for each control from the Annex A whether it is applicable or not, and
To declare why you didn't select part icular controls.

Statement of Applicability is a mandatory document, so you'll have everything documented - learn more here: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community