Select objectives and controls to be implemented

Once the risk assessment has been performed, the organisation must determine how to manage those risks by choosing effective controls to manage the identified risks. The effectiveness of the controls must be evaluated (in terms of total cost, impact on working practices, need for training, licensing and any other costs involved in the implementation of the control).

Once the controls have been selected, it is necessary to record the reason for selection (or rejection) of each of the 133 controls in ISO 27001. This information is captured in the Statement of Applicability (SoA), and should be agreed and signed off by the owner of the area to which the SoA refers.

This process will produce the Statement of Applicability.

An Introduction To Information, Network and Internet Security
Select objectives and controls to be implemented Once the risk assessment has been performed, the organisation must determine how to manage those risks by choosing effective controls to manage the identified risks. The effectiveness of the controls must be evaluated (in terms of total cost, impact on working practices, need for training, licensing and any other costs involved in the implementation of the control). Once the controls have been selected, it is necessary to record the reason for selection (or rejection) of each of the 133 controls in ISO 27001. This information is captured in the Statement of Applicability (SoA), and should be agreed and signed off by the owner of the area to which the SoA refers. This process will produce the Statement of Applicability.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security