![]() Second, the ISO 27001 Statement of Applicability justifies the inclusion and exclusion of controls from Annex A, and the inclusion of controls from another source.First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased however, in SoA you also identify the controls that are required because of other reasons – i.e., because of the law, contractual requirements, because of other processes, etc.Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons: So, you need to protect it from unauthorized access, which means that this document should be considered as internal or restricted or confidential (from my point of view, never public).įurthermore, if you have the certificate of ISO 27001:2013 issued by a certification body, means that your business is compliant with the standard, so you do not need to share the content of the SoA with external companies, because the SoA has been reviewed by a certification auditor (the auditor is the unique external person that is required to review the document).įinally, take care sharing information about your business, because can produce threats, for example informati on leakage.ISO 27001 Statement of Applicability – Why it is needed You can share this information with some people (for example auditors), but not with all the world. The main purpose of ISO 27001 is the protection of information, and the SoA can have important information about the business (information about business process, references to documents, intranet links, etc). This article about the classification of the information can be interesting for you Information classification according to ISO 27001 : Īnd also this article abo ut the importance of the SoA The importance of Statement of Applicability for ISO 27001 : Then, generally the SoA is not considered as a public document, because can have internal information about the business, and it is recommendable to consider this document as Internal use or Restricted (from my point of view this document is not confidential"), this mean that an external people cannot access to this document, although an exception can be an auditor. ISO 27001 does not require the SoA to be a public document, so it is up to each company to consider whether it is confidential or not. But our clients say this is confidential. Our 27001 auditor says we have to share our Statement of Applicability, if requested. AntonioS Tue, 23:37:49 GMT We hace received this question: ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |