SoA and Risk Treatment Plan
Assign topic to the user
Answer: They are completely separated documents. The Statement of Applicability documents which security controls are applicable, justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A, while the risk treatment plan documents which security controls you need to implement, who is responsible for them, what are the deadlines, and which resources are required.
These articles will provide you further explanation about Statement of Applicability and Risk Treatment Plan:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
These materials will also help you regarding Statement of Applicability and Risk Treatment Plan:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Aug 09, 2017