Mapping all controls with risks
Assign topic to the user
Answer:
No. First of all, most companies won't have risks related to every control, which means that most companies won't find all controls applicable - see this article which explains that logic: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Second, you might find some controls applicable even though there are no related risks: there are cases when you have to comply with some laws or regulations - e.g. applying encryption - even though the risk assessment does not show any related risks.
By the way, this article will explain you how this applicability is documented: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Oct 11, 2016