Question about SoA
Assign topic to the user
Please note that either you have unacceptable risks or you do not have them - if you do not have them, then classification controls will not be applicable; if you have unacceptable risks then the controls need to be applicable, and in such case during the implementation you can define whether these controls apply only to some assets (e.g. secure data center), or all assets.
This article will provide you a further explanation about the selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Jun 10, 2021