Assign topic to the user
Your understanding is correct (you only need the terms of agreement with your suppliers), but your SoA information needs adjustment to be compliant with ISO 27001 because justification requires you to explain why you decided (or not) to apply the control (e.g., because you have (or have not) relevant risks, or legal requirements, demanding the control implementation), while "transferred to supplier" informs how you implemented the control, which is not required by the standard (however, it is a good practice to include this information). So, your SoA statement would be like:
Selected: Yes
Implemented: Yes
Justification: existence of risk XXX / legal requirement YYY demands the implementation of backup
Implementation method (this would be a new field in your SoA): implemented by outsourcing the backup to the supplier.
To see how a Statement of Applicability acceptable by certification auditors looks like, please access this link: https://advisera.com/27001academy/documentation/statement-of-applicability/
This article will provide you further explanation about Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Apr 15, 2020