Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Templates content

  Quote
Guest
Guest user Created:   Apr 06, 2019 Last commented:   Apr 06, 2019

Templates content

1. In some cases the controls are very similar and I could see that they are applicable to the same risk, e.g. control A.15.1.1 and A.15.1.2. Let us say that we only choose to apply one of them in order to not make it look as if we have a lot of risks (and besides that the control is not applicable to any other risk), would there be a way how we could justify this in the Statement Applicability?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Apr 06, 2019

Answer: First it is important to note that the number of applied controls does not have a direct correlation with the number of treated risks. You can have scenarios with many risks treated by few controls, as well as scenarios with few risks treated by a large number of controls. This all depends of organization context, legal requirements to be fulfilled and business objectives.

Considering that, to justify that a control is not applicable you should verify first if there are no unacceptable risks that justify the implementation of the control, or that there are no legal requirements demanding the implementation of the control. If both situa tions occur you can state that a control is not applicable on SoA.

For further information, please read:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. Controls of A.16 and A.17: These controls can be applicable to each risk more or less, since you should document each disaster and aside of that it's important that your business still runs after a disaster. Is it okay to write at each control of A.16 that there is a legal requirement (GDPR) that enforces us to do so? As for the controls of A.17 is it okay to write that this is a management decision? (In this case we would basically not link them to any specific risk.)

Answer: Both justifications you presented for applying the controls you mentioned are valid (demanded by a legal requirement or by a top management decision).

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Apr 06, 2019

Apr 06, 2019

Suggested Topics

Guest user Created:   Nov 13, 2019 ISO 27001 & 22301
Replies: 1
0 0

Templates content

Guest user Created:   Oct 14, 2019 ISO 27001 & 22301
Replies: 1
0 0

Templates content