Expert Advice Community

Risk register versus Statement of Applicability - number of controls

  Quote
Created:   Nov 19, 2021 Last commented:   Nov 23, 2021

Risk register versus Statement of Applicability - number of controls

I work with a small company and we've just completed RR. This took us to the SoA. I can see 54 controls to address. My gut feeling is that this is not enough to achieve the certification. What are your thoughts/experiences here, please?
0 0

Assign topic to the user

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 22301 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 23, 2021

Our experience shows us that companies typically have ca 80 controls implemented before the start of an ISO 27001 project, and then they have ca 20 to 30 controls to implement during the project.

 Once you go through the Statement of Applicability to start determining whether particular controls are applicable, you will take into account not only the risks, but also legal and customer requirements, as well as common sense - e.g. if backup control was not selected, you will most likely mark it as applicable.

This article will provide you a further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 19, 2021

Nov 23, 2021