Taking the ISO 27001 certification exam?
Get a bundle with FREE Live Virtual Training
(regular price US$ 199)
LIMITED-TIME OFFER – EXPIRES ON MAY 17, 2022

Expert Advice Community

Guest

Statement of Applicability

  Quote
Guest
Guest user Created:   Oct 27, 2021 Last commented:   Oct 27, 2021

Statement of Applicability

We also just have a question re the risk treatment template. Appendix 2 - Risk Treatment Table allows for a single control per risk identified. If we believe multiple controls are applicable on some risks above the risk threshold, should they be documented? Or is it a case of just listing the most important single control and leaving the others for the Statement of Applicability. Thanks
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 27, 2021

If you understand that multiple controls are needed to decrease risk to an acceptable level, then you can add multiple controls next to each risk in the Risk Treatment Table.

Regarding the Statement of Applicability, please note that all controls related to risks need to be documented in the Risk Treatment Table, not only those you consider the most important. 

These articles will provide you a further explanation about risk assessment and treatment:

- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

By the way, included in your toolkit you have access to video tutorials that can help you fill in the Risk Treatment Table. This tutorial will show you how additional controls are added.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 27, 2021

Oct 27, 2021