Guest user Created: May 27, 2018 Last commented: May 27, 2018

Risk assessment and SoA

I just have a question regarding the ISO 27001 standard which I am busy doing my course on. Does the standard define that the SOA must have risks listed in it, Is this a requirement in order to be certified and would the auditor want to see this?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal May 27, 2018

If I have a risk assessment documented already must I document the risks in the SOA as well?

Answer: The Statement of Applicability is required by ISO 27001 clause 6.1.3 d), so it is needed for certification purposes. In fact, it is one of the main documents used by the auditor during an audit.

Although important to the SoA to justify the applicability of controls, there is no need to document risks in the SoA. In such cases you can simply refer to the risks identifiers used on the risk assessment document (e.g., "control applicable to treat risks identified by numbers 12 and 34 in the risk assessment).

These article will provide you further explanation about mandatory documents and SoA:
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/ dgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding mandatory documents and SoA:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

May 26, 2018

Expert Advice Community