Assign topic to the user
Answer: Basically you have to put the reason why the control is applicable or not to your organization.
To justify the application of a control you can state it is applicable because:
- of the results of risk assessment (e.g., applicable because the risk number xxxx);
- it should comply with a legal requirement (e.g., applicable to ensure compliance with law, industry regulation or contract);
- of a top management decision
In general the justification to not apply a control is related to the fact that there is not unacceptable risk related to that control, or that Top Management has accepted the risk as it is.
These articles will provide you further explanation about SOA content:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- 4 mitigation options in risk treatment according to ISO 27001 https://advisera.com/27001academy/b log/2016/05/16/4-mitigation-options-risk-treatment-according-iso-27001/
These materials will also help you regarding SOA content:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Sep 15, 2017