Selection of controls / the SoA

The controls selected to manage the risks identified above must be appropriate and reduce the risk to an acceptable level - a level determined by the organisation. These controls are entered into the SoA - which must be traceable back to the risk assessment (i.e. every control selected must reduce one or more risks identified at the risk assessment stage. It is perfectly acceptable to have more than one SoA for a given scope (e.g. a baseline SoA and separate SoAs for each system within the scope where they require more security than the baseline affords).

An Introduction To Information, Network and Internet Security
Selection of controls / the SoA The controls selected to manage the risks identified above must be appropriate and reduce the risk to an acceptable level - a level determined by the organisation. These controls are entered into the SoA - which must be traceable back to the risk assessment (i.e. every control selected must reduce one or more risks identified at the risk assessment stage. It is perfectly acceptable to have more than one SoA for a given scope (e.g. a baseline SoA and separate SoAs for each system within the scope where they require more security than the baseline affords).	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security