![]() whether the necessary controls are implemented or not and.It clarifies that, as part of the risk treatment process, organisations must produce an SoA that contains: ![]() ISO/IEC responded by releasing a technical corrigendum ( ISO 27001 Technical Corrigendum 2: ISO/IEC 27001:2013/Cor.2:2015), which does a much better job of explaining how to implement an SoA. When the 2013 version of ISO 27001 was published, many people struggled to understand what the requirements of an SoA were. This means there will be at least 114 entries in your SoA – one for each Annex A control – each of which will include extra information about each control and, ideally, link to relevant documentation about each control’s implementation.Īs such, you can think of your SoA as the index for your ISMS (information security management system). It identifies the controls you have selected to address information security risks, explains why those controls have been selected, states whether they’ve been implemented, and explains why any Annex A controls have been omitted.Īlthough ISO 27001 doesn’t require you to use Annex A controls exclusively, you do have to check the controls you select from elsewhere against those in Annex A to ensure that each risk is appropriately mitigated. When it comes to ISO 27001 compliance, the SoA (Statement of Applicability) is one of the key documents you must complete.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |