Expert Advice Community

Guest

Preparing SoA

  Quote
Guest
Guest user Created:   Nov 24, 2021 Last commented:   Nov 26, 2021

Preparing SoA

We are trying to implement an ISMS to ISO 27001 standards in my new organization. In trying to prepare a Statement on Applicability, I discovered that virtually all the controls were based on business requirements, best practices, contractual obligations and legal requirements. They were not based on the result of risk assessments. Can the organization still go ahead with the implementation process, or we will need to reassess the risks on a risk assessment basis?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 24, 2021

It is highly unlikely that an organization does not have risks to justify the implementation of controls, so you should review your risk assessment criteria and results to be sure of these results.

Items like acceptance criteria level, and which persons participate in the assessment should be checked to see if the criteria are compatible with your organizational context and if people with knowledge of business activities were involved in the process.

Additionally, most commonly people assessing the risks are assigning too low a level for Impact.

This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/

Quote
0 0
Guest
Guest user Nov 24, 2021

Thanks for your response to my question but it doesn't provide the answer I am looking for.


We have reference to related risks on the Statement of Applicability but the issue for me is that the policies were mainly formulated as a result of business requirements, best practices, contractual obligations and legal requirements, and not as a result of risk assessment.


I want to know if the SOA will meet up with ISO 27001 standards with the justification for formulating the policies.

Quote
0 0
Expert
Rhand Leal Nov 26, 2021

ISO 27001 only requires that results of risk assessment are taken into account when defining risk treatment and SoA, not that the majority of controls must have risks as justification for applicability (this is not a common situation, so you should be prepared for some questioning from the auditor).

Provided that in the SoA you refer to the most relevant identified risks it can be accepted for certification purposes.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 24, 2021

Nov 26, 2021

Suggested Topics

Guest user Created:   Dec 23, 2019 ISO 27001 & 22301
Replies: 1
0 0

SOA Documentation

Guest user Created:   Jan 15, 2021 ISO 27001 & 22301
Replies: 2
0 0

How to prepare an audit?