Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Risk treatment and SOA

  Quote
Guest
Guest user Created:   Mar 24, 2017 Last commented:   Mar 24, 2017

Risk treatment and SOA

I have a question about the Statement of Applicability from the ISO 27001 and a question about the Risk Treatment Table from the ISO 27001.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 24, 2017

1- Controls that were already implemented before the Project for ISO 27001 Implementation started, how should they be mentioned in the Statement of Applicability?

Answer: They should be stated as applicable like all other controls identified as necessary by your risk assessment. The one thing that will change is the justification, since they were not based on the results of risk assessment. You can say, for example, that they were implemented by customer request, legal requirement, or as a best practice of the industry.

This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2 - In the Risk Treatment Table: If more than one control can be implemented to reduce a Risk, is implementing one control suffi cient?

Answer: If you evaluate that after the implementation of the first control the risk level will decrease to an acceptable value you do not need to implement other controls. You only have to verify after the effective implementation if you achieved the desired security level. After evaluating the results you can confirm that other controls are not necessary or if you have to make some additional implementation.

This article will provide you further explanation about Risk treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding Risk treatment and the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 24, 2017

Mar 24, 2017

Suggested Topics

Guest user Created:   May 06, 2017 ISO 27001 & 22301
Replies: 1
0 0

Risk Treatment and SoA

Guest user Created:   Apr 17, 2019 ISO 27001 & 22301
Replies: 1
0 0

Risk assessment and BIA