SoA and selection of controls
I have a question about SoA and selection of controls:
If control is selected as applicable in which extent the control is required to implement?
For example: if control A.9.4.3 Password management system is selected as applicable is it required to implement to every single system/application in the Company or is it enough to implement it according to assessed need (based on assessed risks and other relevant information concerning the systems/applications)?
Assign topic to the user
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now 
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
ISO 27001 STATEMENT OF APPLICABILITY
List all controls and determine which are applicable and why.
Get it now
You have to implement a control only to the extent it reduces related risks to acceptable levels and ensures legal requirements (e.g., laws, regulations, or contracts) are fulfilled.
This article will provide you a further explanation about risk treatment:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
These materials will also help you regarding risk treatment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- ISO 27001 Annex A Controls in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
Comment as guest or Sign in
May 13, 2020