Guest user Created: Nov 24, 2021 Last commented: Nov 24, 2021

Question on SOA

In your template for the SOA you show the column “Control objectives” for which in my understanding S.M.A.R.T objectives shall be listed. In your ISO 27001 foundation course video about the SOA, this column is missing. Therefore, I would like to know if it is mandatory or not? Because I struggle to find adequate measurable objectives for all applicable controls.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Nov 24, 2021

ISO 27001 doesn't require you to specify objectives in the Statement of Applicability - you can use some other document for this purpose. However, we felt that listing objectives next to each control in SoA is the most practical solution.

Regarding the objectives, to make it easier, you can specify the objectives for groups of controls, very similar to what is written in Annex A of ISO 27001.

This article will provide you a further explanation about Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- ISO 27001 control objectives – Why are they important? https://advisera.com/27001academy/blog/2012/04/10/iso-27001-control-objectives-why-are-they-important/

Quote

0 1

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Nov 24, 2021

Expert Advice Community

Question on SOA

Question on SOA

Assign topic to the user

Comment as guest or Sign in

Suggested Topics

Question about Annex A and SOA

Question about SoA

Question about SOA