Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Preparing Statement of Applicability

  Quote
Guest
Guest user Created:   Jan 12, 2016 Last commented:   Jan 12, 2016

Preparing Statement of Applicability

When performing the SOA phase. Is there a minimum or maximum amount of controls to select? Do you have to select controls from every section of the 35 main security categories?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 12, 2016

ISO 27001 does not require a minimum or maximum controls to select, nor does it require to select controls from every section of Annex A. Further, you can select the controls that are not listed in Annex A - that you added on your own.

When you look closely at the Annex A, you will realize two things: (1) it is really difficult to exclude most of the controls because they are common sense - for example, it would be difficult to exclude the control for backup (A.12.3.1) or the control for anti-virus protection (A.12.2.1), and (2) at least 50% of the controls you already did implement before you started your ISO 27001 implementation.

In effect, most companies do not select less than 90 controls in the SoA. See also this article: Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics

Guest user Created:   May 30, 2022 ISO 27001 & 22301
Replies: 3
0 0

Risk assessment question

Guest user Created:   Jan 15, 2021 ISO 27001 & 22301
Replies: 2
0 0

How to prepare an audit?

Guest user Created:   Jun 24, 2020 ISO 27001 & 22301
Replies: 1
0 0

ISMS system