Expert Advice Community

Home / ISO 27001 & 22301 / Mapping all controls with risks

Guest

Mapping all controls with risks

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Oct 11, 2016 Last commented:   Oct 11, 2016

Mapping all controls with risks

ISO 27001 & 22301
Is it a requirement that every single control in the standard is mapped to at least one risk/vulnerability during the risk assessment phase?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Dejan Kosutic Oct 11, 2016

Answer:

No. First of all, most companies won't have risks related to every control, which means that most companies won't find all controls applicable - see this article which explains that logic: The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Second, you might find some controls applicable even though there are no related risks: there are cases when you have to comply with some laws or regulations - e.g. applying encryption - even though the risk assessment does not show any related risks.

By the way, this article will explain you how this applicability is documented: The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 11, 2016

Oct 11, 2016

Suggested Topics
Guest user Created:   Nov 09, 2017 ISO 27001 & 22301
Replies: 1
0 0

Mapping of risks to ISO 27001 controls
Guest user Created:   Apr 11, 2022 ISO 27001 & 22301
Replies: 1
0 0

Risk re-evaluation processes Risk Treatment and Annex A controls
Guest user Created:   Nov 27, 2018 ISO 27001 & 22301
Replies: 1
0 0

Controls application