User
I still struggle with the SoA. I know it's not mandatory to describe the implementation methods which is practical if I don't yet know what specific measures we want to implement. But in the next step (risk treatment plan), I have to provide information on human, financial and technological resources. This is only possible if we know fairly precisely how implementation is to take place.
Isn't it better to describe the implementation in more detail? But what does that look like? For example, we have a project for log obfuscating that has been started but is not yet finished. It fits in with control 8.11 Data Masking. Do we then mention the project in Implementation at 8.11?
Experta
Please note that a detailed implementation method description in the SoA would make the SoA document unnecessarily complex. If you need a thorough description to provide information for the Risk Treatment Plan, you should consider a separate document, and leave in the SoA only the short description and a reference to the main document.