What the justification in SoA should be like? is it to rephrase the "Controls" in the standard Annex A?" and "What else should include in the SoA
Answer:
The justification depends on the source of each control. During the risk treatment you need to identify controls that are necessary to decrease risks, but you also identify controls that are required because of other reasons: Law, contractual requirements, or because of other processes. So, the justification could be: Implemented by contractual requirements, or Implemented for decrease risks related to
or also This control is not implemented because the organization does not have teleworking if the control is not implemented.
Generally the original definition of each control of Annex A is enough (all controls were developed by experts of all world), so from my point of view you can maintain the original control, and if you want, include some actions or controls more (you can also use controls of others sources, for example PCI-DSS).
The most important is the applicability a nd the justification of each control, but as a best practice you can include also a field for the implementation method (how you have implemented each control).
For more information about the SoA, you can read this article The importance of Statement of Applicability : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
And also you can see a free version of our template about the SoA clicking on Free Demo tab here : https://advisera.com/27001academy/documentation/statement-of-applicability/
Comment as guest or Sign in
Jan 12, 2016