1 - In your video, which is accessible in video tutorials, in examples you mentioned in “Justification for selection/ non-selection” the risks. Does it means that in “Justification for selection/ non-selection” should be only risks from the risk assessment document? If not, what else can/should be there?
Answer: As “Justification for selection/ non-selection” you can use the results of risk assessment, compliance with legal requirements (e.g., laws, contracts and regulations), and top management decision (e.g., the Top management considers that the adoption of the control will bring advantages to the organization).
2 - And one other question. Can I fill in that field only for non-selection case?
Answer: ISO 27001 clause 6.1.3 d) requires justification not only for control inclusions, but also for exclusions of controls from Annex A.
This article will provide you further explanation a bout SoA content:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Feb 15, 2019