SoA justification for selection (of control)
Assign topic to the user
First is important to note that before you elaborate the SoA you need to perform the risk assessment and risk treatment steps, because these are required by the standard.
The second topic of notice is that, broadly speaking, justifications to apply or not control are based on:
- results of risk assessment
- legal requirements (e.g., laws, contract, or regulations)
- top management decision
Considering that, if you do not have relevant risks or legal requirements to justify applying a control, you can state that the control is considered relevant to be applied by top management, as a good practice.
These articles will provide you a further explanation about risk management and SoA:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
May 03, 2020