Expert Advice Community

Guest

Justification in the SoA

  Quote
Guest
Guest user Created:   Nov 20, 2019 Last commented:   Nov 20, 2019

Justification in the SoA

Hi, I have some questions about the "Justification for selection / non-selection" in the SoA:
  1. Some of the Annex A clauses are worded as if they are mandatory; for example, 5.1.1: "A set of policies for information security shall be defined [...]". Is it acceptable to justify selection on the basis that this is a mandatory element of 27001?
  2. We have multiple risks associated with the same vulnerability (as expected); for example, the vulnerability “inadequate protection from unauthorized access” occurs many times. Is it acceptable to justify on the basis of 'All risks associated with “inadequate protection from unauthorized access”' rather than itemize each risk?"
 
0 0

Assign topic to the user

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

Expert
Rhand Leal Nov 20, 2019

1. Some of the Annex A clauses are worded as if they are mandatory; for example, 5.1.1: "A set of policies for information security shall be defined [...]". Is it acceptable to justify selection on the basis that this is a mandatory element of 27001?

 Please note that a control from ISO 2701 Annex A is mandatory only if:
- There are unacceptable risks that require the implementation of the control
- There are legal requirements that require the implementation of the control
- There is a top management decision that requires the implementation of the control

These are acceptable justifications to apply a control.

If none of the above mentioned occurs, you do not need to implement the control. What happens is that once a control is deemed as applicable, then all "shall" related items are mandatory to be implemented.
 
 This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

2. We have multiple risks associated with the same vulnerability (as expected); for example, the vulnerability “inadequate protection from unauthorized access” occurs many times. Is it acceptable to justify on the basis of 'All risks associated with “inadequate protection from unauthorized access”' rather than itemize each risk?"

This approach is not acceptable because it does not allow an easy identification of which risks are related to the applied control. In this case, you can only mention in the SoA the ID of the risks listed in the risk treatment plan. For example, "Control X is applicable because of unacceptable risks 23, 35 and 47 listed in the risk treatment plan".

This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 20, 2019

Nov 20, 2019

Suggested Topics