Assign topic to the user
It is highly unlikely that an organization does not have risks to justify the implementation of controls, so you should review your risk assessment criteria and results to be sure of these results.
Items like acceptance criteria level, and which persons participate in the assessment should be checked to see if the criteria are compatible with your organizational context and if people with knowledge of business activities were involved in the process.
Additionally, most commonly people assessing the risks are assigning too low a level for Impact.
This material will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-risk-management-in-plain-english/
Thanks for your response to my question but it doesn't provide the answer I am looking for.
We have reference to related risks on the Statement of Applicability but the issue for me is that the policies were mainly formulated as a result of business requirements, best practices, contractual obligations and legal requirements, and not as a result of risk assessment.
I want to know if the SOA will meet up with ISO 27001 standards with the justification for formulating the policies.
ISO 27001 only requires that results of risk assessment are taken into account when defining risk treatment and SoA, not that the majority of controls must have risks as justification for applicability (this is not a common situation, so you should be prepared for some questioning from the auditor).
Provided that in the SoA you refer to the most relevant identified risks it can be accepted for certification purposes.
Comment as guest or Sign in
Nov 26, 2021