Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Question about SoA

  Quote
Guest
Guest user Created:   Jun 10, 2021 Last commented:   Jun 10, 2021

Question about SoA

Dear Dejan,

I have a question for you about the Statement of Applicability. I’m doing an ISO 27001 implementation at a software company and the shareholders have given us only a couple of months. So I want to do a minimal project, doing only all the necessary policies, with the idea that we can expand on that in the coming years. So I looked at what documents are mandatory and which ones are not. But now I wonder how that translates into the SoA. 

Example. We have a SaaS solution, so all information from customers is on very secure cloud systems from our suppliers. We don’t have very much information that is very exciting on Sharepoint servers. If the classification policy is not mandatory and if it’s not a risk coming out of risk analysis that we need to control, does this mean we can say No on A.8.2.1 and following controls, or can I say Yes and fill in the limited measures we have, like the secure data center and so on. How would you go about this?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 10, 2021

Please note that either you have unacceptable risks or you do not have them - if you do not have them, then classification controls will not be applicable; if you have unacceptable risks then the controls need to be applicable, and in such case during the implementation you can define whether these controls apply only to some assets (e.g. secure data center), or all assets. 

This article will provide you a further explanation about the selection of controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 10, 2021

Jun 10, 2021

Suggested Topics

Guest user Created:   May 08, 2020 ISO 27001 & 22301
Replies: 1
0 0

Question about SOA

Guest user Created:   Oct 29, 2020 ISO 27001 & 22301
Replies: 3
0 0

SoA - status of controls

Guest user Created:   May 13, 2020 ISO 27001 & 22301
Replies: 1
0 0

SoA and selection of controls