Question 1: Does this then mean that when the SOA controls are selected that the controls linked to the mandatory documents also needs to be selected for implementation?
Question 2: If that specific control has not been linked as a mitigating control to an identified risk, why must the document then be developed and implemented?
· Secure system engineering principles (clause A.14.2.5)
· Supplier security policy (clause A.15.1.1)
· Incident management procedure (clause A.16.1.5)
· Business continuity procedures (clause A.17.1.2)
Answer 1: If you have in your SoA a control that have been applied and it is related to a mandatory document, sure, you need to implement (and document) it.
Answer 2: If you do not apply a control (related to a mandatory document), it is not necessary to develop a document for it. Another scenario is: you have a control that applies, but it is not related to a mandatory document, so it is not necessary to develop it. And another scenario: you have a control that applies, and it is related to a mandatory document, so it is necessary to develop it.
Anyway, in the most of companies all controls related to the mandatory document are applied, so in the most of cases you will need to develop all mandatory documents because they will be related to controls that apply to the organization.
Finally, I think that this article can be interesting for you, please read it The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Jan 12, 2016