Back to M2.3.4 - P1- STATEMENT OF APPLICABILITY
The Statement of Applicability should be produced to ensure that no control from these Standards that is required by the entity for risk treatment is overlooked.
If the first version of the Statement of Applicability identifies controls from this Standard whose exclusion cannot be justified, the entity should go back to the control identification process (refer to M2.3.2 - P1- IDENTIFICATION OF CONTROLS ) and check whether there are risks whose treatment could benefit from this control. If this is the case, the control under consideration should be included in the risk treatment. If this is not the case, the entity should go back to the risk identification and ensure that all important risks have been identified.
The reasons for the identification of controls is needed to form the link between risks and controls – this relationship can also be documented in the risk treatment plan (refer to M2.3.3 - P1- RISK TREATMENT PLAN ). The Statement of Applicability can be a separate document, or can be combined with the risk treatment plan, this can be decided by the entity.
