Expert Advice Community

Guest

Justification and control objectives

  Quote
Guest
Guest user Created:   Aug 05, 2022 Last commented:   Aug 05, 2022

Justification and control objectives

I am currently running back through the statement of applicability, and was wondering what is expected of us when it comes to the audit for the justification and control objectives column. I don't necessarily have legal or contractual reasons for justifying some controls, but they still apply. For example, we are fully remote so teleworking applies. Am I allowed to fill the justification in for this with the reason being that we operate on a remote structure?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 05, 2022

Please note that justifications in the Statement of Applicability need to be based on applicable legal requirements, relevant risks, or management decisions (in general because management considers the implementation of control as a good practice).

Considering that, the fact that you operate on a remote structure wouldn’t be enough. Since you stated that you do not have legal or contractual reasons for justifying some controls, you should review the results of the risk assessment to see if any identified risk can be used as a justification. If there are no relevant risks, you do not need to implement any controls.

In case you decide to implement a control regardless of the lack of legal requirements and relevant risks, you can state as justification that the control implementation is considered good practice management.

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 05, 2022

Aug 05, 2022

Suggested Topics