Expert Advice Community

Guest

SoA justification for selection (of control)

  Quote
Guest
Guest user Created:   May 03, 2020 Last commented:   May 03, 2020

SoA justification for selection (of control)

I have a question about SoA’s justification for the selection of control: A lot of controls have been established in use over the years (as kind of “security best practices”), so there is no recent risk treatment nor risk number for the control, how the justification for selection is written in the SoA in these cases?  
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal May 03, 2020

First is important to note that before you elaborate the SoA you need to perform the risk assessment and risk treatment steps, because these are required by the standard.

The second topic of notice is that, broadly speaking, justifications to apply or not control are based on:

  • results of risk assessment
  • legal requirements (e.g., laws, contract, or regulations)
  • top management decision

Considering that, if you do not have relevant risks or legal requirements to justify applying a control, you can state that the control is considered relevant to be applied by top management, as a good practice.

These articles will provide you a further explanation about risk management and SoA:

Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

May 03, 2020

May 03, 2020