Risk treatment and SOA
Assign topic to the user
1- Controls that were already implemented before the Project for ISO 27001 Implementation started, how should they be mentioned in the Statement of Applicability?
Answer: They should be stated as applicable like all other controls identified as necessary by your risk assessment. The one thing that will change is the justification, since they were not based on the results of risk assessment. You can say, for example, that they were implemented by customer request, legal requirement, or as a best practice of the industry.
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2 - In the Risk Treatment Table: If more than one control can be implemented to reduce a Risk, is implementing one control suffi cient?
Answer: If you evaluate that after the implementation of the first control the risk level will decrease to an acceptable value you do not need to implement other controls. You only have to verify after the effective implementation if you achieved the desired security level. After evaluating the results you can confirm that other controls are not necessary or if you have to make some additional implementation.
This article will provide you further explanation about Risk treatment:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
These materials will also help you regarding Risk treatment and the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Mar 24, 2017