Soa iso 27001 example8/29/2023 ![]() Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g. ![]() Because of the law, contractual requirements, because of other processes, etc. First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased however, in SoA you also identify the controls that are required because of other reasons – i.e. Why it is needed Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons. Actually, the Statement of Applicability (ISO 27001 Clause 6.1.3 d) is the main link between the risk assessment & treatment and the implementation of your information security – its purpose is to define which of the suggested 114 controls (security measures) from Annex A you will apply, and for those that are applicable the way they will be implemented. As Annex A is considered to be comprehensive, but not exhaustive for all situations, nothing prevents you from also considering another source for the controls. The importance of Statement of Applicability (sometimes referred to as SoA) is usually underrated – like the Quality Manual in, it is the central document that defines how you will implement a large part of your information security.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |