As you may remember from earlier on in this course, ISO 27001 relies heavily on a risk assessment process and unlike other ISO Standards, 114 controls are provided within Annex A.
You should not ignore the Controls in Annex A.
The standard requires you to justify the inclusion or exclusion of every control within Annex A. Controls should only be excluded if they do not help you:
The standard requires you to put these justifications into a Statement of Applicability (SOA).
Often this takes the form of a list covering every control in the annex, and against each the justification for inclusion or exclusion.
The SOA can become an invaluable document during audit. If you reference key policies, procedures or other evidence against each control, it becomes much easier to manage your system.
You don’t necessarily need a document for EVERY control.
While there are many controls which state “Documented”, “Policy’ or ‘Procedure’ many only require that the control is met, which can be evidenced in other ways. Think carefully about the level of documentation your organisation needs to effectively operate the ISMS.
The controls of Annex A are divided into several sub-categories:
Responsibilities for implementing controls should be delegated to relevant people within the organisation, and so you may be asked to take on some extra responsibilities, or document some information, in line with your job role.