Preparing Statement of Applicability
Assign topic to the user
ISO 27001 does not require a minimum or maximum controls to select, nor does it require to select controls from every section of Annex A. Further, you can select the controls that are not listed in Annex A - that you added on your own.
When you look closely at the Annex A, you will realize two things: (1) it is really difficult to exclude most of the controls because they are common sense - for example, it would be difficult to exclude the control for backup (A.12.3.1) or the control for anti-virus protection (A.12.2.1), and (2) at least 50% of the controls you already did implement before you started your ISO 27001 implementation.
In effect, most companies do not select less than 90 controls in the SoA. See also this article: Overview of ISO 27001:2013 Annex A https://advisera.com/27001academy/iso-27001-controls/
Comment as guest or Sign in
Jan 12, 2016