I am going through the ISO 27001 documents with the assistance of your great templates. Support advised me that I can email you with a question. I'm wondering if the vast majority of the 114 controls in the SOA typically need to be used in order to meet the compliance requirements. If the risk assessment identified that only 20 controls are required, could the remaining controls be set to "No" in the SOA? -then how would you justify that it wasn't required.
By our experience, an ISMS based on ISO 27001 implements something around 100 from the 114 controls from Annex A, and the results of risk assessment are just one of three general justifications to implement a control. The other two are:
- Legal requirements (e.g., contracts, laws, regulations, etc.) demand the implementation of a control
- Top management decisions demand the implementation of a control (e.g., by considering it a good practice)
If none of the above situations occurs, then you can justify not implementing a control with a text something like : "There are no un acceptable risks nor legal requirements that would demand this control."