The
SoA is your formal definition of the controls listed in ISO/IEC 27002 that are
relevant to your ISMS. There needs to be some rationale to explain your
reasoning and persuade the auditors that important decisions were not made
arbitrarily. Be ready for some robust discussions if you decide not to
implement common controls, or to accept significant risks.
The Statement of Applicability forms the main link
between your risk assessment and the information security you have implemented.
The purpose of the Statement of Applicability is to document which controls
(security measures) from ISO 27001 Annex A (and thereby the ISO 27002 standard
for information security) you will implement, the reason they have been chosen
– and for those that have not been chosen – the justification for their
exclusion. While the standard does not directly specify this, it has become
good practice to also include the following in the Statement of Applicability
document:
§ The status of implementation for
existing controls
§ A link to the control
documentation or a brief description of how each control is implemented
§ A cross-reference to the sources
of other requirements, necessitating the controls chosen
Thus, by preparing a good quality Statement of
Applicability, you will have a thorough and full overview of which controls you
need to implement, why they are implemented, how they are implemented, and how
well they are implemented. The two primary sources for the Statement of
Applicability are the risk assessment and Annex A of the standard (in reality
the Table of Contents of the ISO 27002 standard). Other sources are the
controls that currently exist in the organization and external security
requirement that the organization has to comply with.
This SoA is
documentation of the decisions reached on each control in light of the risk
assessment and is also an explanation or justification of why any controls that
are listed in Annex A have not been selected.This exercise, of reviewing the
list of controls and documenting the reasons numbering as in Annex A of the
Standard and this statement explains which controls have been adopted, and
identifies those which have not been adopted and sets out the reasons for these
decisions. able to coordinate implementation of the complete range of
information security controls. A separate forum for information security
coordination has not been created as it is considered more effective for this
to be handled through the management
The Statement of
Applicability will also list those additional controls that the organisation
has determined, following its risk assessment, are necessary to counter
speciï¬cally identiï¬ed risks. These controls should be listed, either within
those control sections whose objectives are supported by the additional
controls, or within additional control sections added after those contained in
lSO 27001 Appendix A. These additional controls should adopt the Appendix A
numbering scheme. it would also be worth documenting how the additional
controls were selected.
·
Road
to Statement of Applicability:
·
Identify
and Analyse Risks
·
Select
Controls
·
Analyse
Gaps
·
Writing
the Statement of Applicability
·
Plan
Risk Treatment
·
Implement
Controls
·
Maintaining
the Statement of Applicability
Risk
Treatment Plan
Risk Treatment is the process of
selecting and implementing of measures to modify risk. The he purpose of
assessing risk is to assist management in determining where to direct
resources. There are four basic strategies for managing risk: mitigation, transference,
acceptance and avoidance. For each risk
in the risk assessment report, a risk management strategy must be devised that
reduces the risk to an acceptable level for an acceptable cost. For each risk
management strategy, the cost associated with the strategy and the basic steps
for achieving the strategy must also be determined.
Mitigation
Mitigation
is the most commonly considered risk management strategy. Mitigation involves
fixing the flaw or providing some type of compensatory control to reduce the
likelihood or impact associated with the flaw.
Transference
Transference
is the process of allowing another party to accept the risk on your behalf.
This is not widely done for IT systems, but everyone does it all the time in
their personal lives. Car, health and life insurance are all ways to transfer
risk.
Acceptance
Acceptance
is the practice of simply allowing the system to operate with a known risk.
Many low risks are simply accepted. Risks that have an extremely high cost to
mitigate are also often accepted. Beware of high risks being accepted by
management. Ensure that this strategy is in writing and accepted by the
manager(s) making the decision.
Avoidance
Avoidance
is the practice of removing the vulnerable aspect of the system or even the
system itself.
User questions & answers