SOA; CONTROL APPLICABLE vs. CONTROL IMPLEMENTED?
Assign topic to the user
1 - Can you help me explain the implementation of SoA?
The implementation of SoA, i.e., of the controls identified as applicable, is made according to what is defined in the Risk Treatment Plan, which defines actions, responsible, and deadlines.
For example, if control A.12.3.1 Information backup is defined as applicable in the SoA, in the Risk Treatment Plan you will define activities like elaboration, approval, and publication of a Backup Policy, and the acquisition and implementation of a software solution to be implemented in your environment.
For further information, see:
- Risk Treatment Plan and risk treatment process – What’s the difference? https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment
2 - Is SoA acceptable if not all applicable controls are implemented? (control applicable) are not (control implemented)?
I’m assuming you are asking about SoA acceptance considering certification purposes.
Considering that, during a certification audit it can accept that certain controls stated in the SoA as applicable are not implemented if:
These materials will also help you regarding Risk Assessment and Treatment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 04, 2022