In the Controls Tab for an individual Threat the system will suggest controls that work against the risk in question. The assessor must go through the list and set the Status (image 15.8) for each one. A list of all Controls from the Standard (or the User Defined Standard) appears in a list on the screen. There are 133 Standard controls for ISO/IEC 27001. All the controls must be reviewed and a status assigned to them. Note that a control can be partially implemented. This is when a security control has been implemented but not to its full extent. An example of this would be, e.g. if plans for business continuity were well on their way but were not fully complete. Keep in mind that a Standard control recommended by the system may be inapplicable in some cases. An example of such an instance would be a business without a computer system. If this were the case, there would be various inapplicable Standard controls. Enter information that supports the Assessment under Justification. You can add controls by clicking on the Add New Control Icon in the Controls Toolbar above the Controls List. Make sure that all the Standard controls have been reviewed before going on to the next tab in the Risk Treatment. 9.1.4.Controls Tab