Assign topic to the user
Answer:
By our experience, an ISMS based on ISO 27001 implements something around 100 from the 114 controls from Annex A, and the results of risk assessment are just one of three general justifications to implement a control. The other two are:
- Legal requirements (e.g., contracts, laws, regulations, etc.) demand the implementation of a control
- Top management decisions demand the implementation of a control (e.g., by considering it a good practice)
If none of the above situations occurs, then you can justify not implementing a control with a text something like : "There are no un acceptable risks nor legal requirements that would demand this control."
These articles will provide you further explanation about SoA and selection of controls :
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Jun 04, 2019