gabryprof Created: Jun 01, 2016 Last commented: Jun 02, 2016

Number of not applicable controls in statement of applicability

Dejan, after two stage 1 audit for two companies I feel me rather confused, because I excluded almost fifty percent of controls in annex A, and the auditor considered this a problem to fix. Is it mandatory to apply almost one hundred controls. The two companies choosed the controls to apply after the risk assessment process, and defined as not applicable those for which there was no risk to treat or no requirement by interested parties.

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Jun 02, 2016

Yes, excluding 50% of controls is rather odd.

It is true that there is no mandatory number of controls, so theoretically you could include any number of controls. However, in practice, I have never seen a company which excluded e.g. backup, or malware protection, or business continuity controls. So the point is - most of the controls from Annex A are common sense, very difficult to find a reason to exclude them.

In other words, the criteria for selecting controls are not only risks or requirements from interested parties - it is also if you have good enough reason to exclude particular controls.

Quote

0 1

Guest

gabryprof Jun 02, 2016

Thank you for your answer. Non I am preparing a new version and I'll exclude about 10 controls.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jun 01, 2016

Jun 02, 2016

Expert Advice Community