Expert Advice Community

Guest

SOA question

  Quote
Guest
Guest user Created:   Jun 04, 2019 Last commented:   Jun 04, 2019

SOA question

I am going through the ISO 27001 documents with the assistance of your great templates. Support advised me that I can email you with a question. I'm wondering if the vast majority of the 114 controls in the SOA typically need to be used in order to meet the compliance requirements. If the risk assessment identified that only 20 controls are required, could the remaining controls be set to "No" in the SOA? -then how would you justify that it wasn't required.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jun 04, 2019

Answer:

By our experience, an ISMS based on ISO 27001 implements something around 100 from the 114 controls from Annex A, and the results of risk assessment are just one of three general justifications to implement a control. The other two are:
- Legal requirements (e.g., contracts, laws, regulations, etc.) demand the implementation of a control
- Top management decisions demand the implementation of a control (e.g., by considering it a good practice)
If none of the above situations occurs, then you can justify not implementing a control with a text something like : "There are no un acceptable risks nor legal requirements that would demand this control."

These articles will provide you further explanation about SoA and selection of controls :
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jun 04, 2019

Jun 04, 2019

Suggested Topics

Guest user Created:   Nov 24, 2021 ISO 27001 & 22301
Replies: 1
0 0

Question on SOA

Guest user Created:   Jun 10, 2021 ISO 27001 & 22301
Replies: 1
0 0

Question about SoA

Guest user Created:   May 08, 2020 ISO 27001 & 22301
Replies: 1
0 0

Question about SOA