I know that generally the Justification for selection a control can be a risk, Top management solution, or legal requirement.
Can Justification also be "Best practices in IT", or "IT Management decision"? Or it must be one of the 3 mentioned above?
Thank you!
Assign topic to the user
In general a “Top Management decision” is made because the management considers the control as a market best practice in the related field (i.e., best practice in IT for network control, best practice in HR for a human-related control, etc.), so your first example is acceptable (it will only make the main reason explicit), but it needs to be related to the highest position in the ISMS scope (e.g., "Best practices in IT according to Top Management").
Regarding your second example, you can use IT management only if this is the highest position in your ISMS scope (e.g., the ISMS scope is limited to the IT department or IT processes).
These articles will provide you a further explanation about risk management and SoA:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Dec 07, 2020