Guest user Created: Oct 27, 2021 Last commented: Oct 27, 2021

Statement of Applicability

We also just have a question re the risk treatment template. Appendix 2 - Risk Treatment Table allows for a single control per risk identified. If we believe multiple controls are applicable on some risks above the risk threshold, should they be documented? Or is it a case of just listing the most important single control and leaving the others for the Statement of Applicability. Thanks

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Oct 27, 2021

If you understand that multiple controls are needed to decrease risk to an acceptable level, then you can add multiple controls next to each risk in the Risk Treatment Table.

Regarding the Statement of Applicability, please note that all controls related to risks need to be documented in the Risk Treatment Table, not only those you consider the most important.

These articles will provide you a further explanation about risk assessment and treatment:

- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

By the way, included in your toolkit you have access to video tutorials that can help you fill in the Risk Treatment Table. This tutorial will show you how additional controls are added.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Oct 27, 2021

Expert Advice Community