Templates content
Assign topic to the user
Answer: First it is important to note that the number of applied controls does not have a direct correlation with the number of treated risks. You can have scenarios with many risks treated by few controls, as well as scenarios with few risks treated by a large number of controls. This all depends of organization context, legal requirements to be fulfilled and business objectives.
Considering that, to justify that a control is not applicable you should verify first if there are no unacceptable risks that justify the implementation of the control, or that there are no legal requirements demanding the implementation of the control. If both situa tions occur you can state that a control is not applicable on SoA.
For further information, please read:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
2. Controls of A.16 and A.17: These controls can be applicable to each risk more or less, since you should document each disaster and aside of that it's important that your business still runs after a disaster. Is it okay to write at each control of A.16 that there is a legal requirement (GDPR) that enforces us to do so? As for the controls of A.17 is it okay to write that this is a management decision? (In this case we would basically not link them to any specific risk.)
Answer: Both justifications you presented for applying the controls you mentioned are valid (demanded by a legal requirement or by a top management decision).
Comment as guest or Sign in
Apr 06, 2019