Risk treatment plan vs Statement of applicability
trying to understand the difference between the risk treatment plan and the statement of applicability. Shouldn’t one document show what controls need to be implemented, seems like the purpose is the same.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Please note that the statement of applicability presents a summary of which controls are necessary, the justification for their inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A, while the risk treatment plan documents which actions are necessary to implement the security controls you need, who is responsible for them, what are the deadlines, and which resources are required.
In short, the purpose of the SoA is to describe the security profile of a company, while the purpose of the RTP is to define implementation responsibilities.
These articles will provide you a further explanation about the Statement of Applicability and Risk Treatment Plan:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
These materials will also help you regarding Statement of Applicability and Risk Treatment Plan:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
May 03, 2020