Templates content

Answer: First it is important to note that SoA is about applicability of controls. Policies and procedures are examples of methods to be used to implement controls, considered applicable because of unacceptable risks, legal requirements or top management decisions. It is also true that you can simply use one phrase on SoA to explain how a control will be implemented, and not develop a more complex document.

Considering that, if a control is considered not applicable, an example of good justification is "there are no unacceptable risks or legal requirements which require the implementation of this cont rol".

This article will provide you further information:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. Measurement Report: evaluation frequency (which evaluation frequency is recommended?)
Answer: There is no "standard" evaluation frequency that can be defined, because there are many many variables to be considered: level of risk involved, measurement complexity, time to process data, etc. This definition should be made on a case by case basis.

This article will provide you further information:
- How to perform monitoring and measurement in ISO 27001 https://advisera.com/27001academy/blog/2015/06/08/how-to-perform-monitoring-and-measurement-in-iso-27001/

3. A.11.2.5: Do employees really need written permission?
Answer: The proper term here would be "recorded" permission, which could be either written or included on a computerized information system. The point here is that you must preserve evidences that an authorization was given, so it can be traceable for operational or audit purposes in case of need.

See this article for further information:
- Records management in ISO 27001 and ISO 22301 https://advisera.com/27001academy/blog/2014/11/24/records-management-in-iso-27001-and-iso-22301/

4. A.14: Does a webhosting company (which isn't developing software) have to comply with any of the controls in this chapter at all? I'm really stuck here.

Answer: If an organization does not have a software development process, the only other reason to consider some of controls from section A.14 is when performing system acquisition (e.g. buying a third-party CRM), mainly those related tor definition of security requirements and system acceptance.