Having conducted the risk assessment and taken decisions regarding the treatment of those assessed risks, the results need to be documented. This produces two documents:

1.Statement of Applicability (SoA)

2.Risk treatment plan

The SoA lists all the controls the organisation has selected alongside a justification for their selection and whether or not they have been applied within the ISMS, and also identifies any controls from Annex A that have not been selected along with a justification for their exclusion. The risk treatment plan maps the selected treatments (and the measures by which they are to be implemented) to the specific risks they are intended to address and is, in effect, a control implementation ...

Get Information Security Risk Management for ISO 27001/ISO 27002, third edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.