Assign topic to the user
From the standard, I am not able to gauge whether the above fields are mandatory.
Answer: The justification for inclusions is needed because the reason for applying a control will help understand how to evaluate its effectiveness. For example, if the reason is because results of risk assessment, them we have to check which risks are being treated by the control to ensure all of them are being handled properly. On the other hand, if the reason is because of a legal or contractual requirement, we need to identify if this requirement is being properly fulfilled
You can find the requirements for filling the SoA in the clause 6.1.3 d) of ISO 27001.
This article will provide you further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding the Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jul 29, 2017