Is there a rule of thumb (or best practice) as to how many controls from Annex A need to be sustained in the SOA (for smaller companies, i.e. 50-100 employees)?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
From our experience with our customers, smaller companies are usually at ca 100 controls, while larger ones are usually above 110.
But please note that the main criteria considered by certification bodies to justify controls applicability are results of risk assessment and applicable legal requirements (e.g., laws, regulations, and contracts).
It is important to understand that because you can have similar organizations with totality different quantity of applicable controls (above or below the mentioned numbers), because they have different approaches towards risks (e.g., more risk aggressive, more cautious, etc.), and still both can fulfill the standards criteria for certification.
For further information, see:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
This material can also help you:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
Comment as guest or Sign in
Jun 10, 2020