The Statement of Applicability

-

ISO/IEC 27001:2013 and your SoA

The journey that sees an organisation gaining its Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) must include the creation of a statement of the applicable controls (or measures) used within the scope of the ISMS.

The Statement of Applicability (SoA) is a mandatory requirement, and is a 'statement' of the controls (or measures) you have implemented in response to the options you have selected to treat a particular risk.

The simple diagram above (and yes it is simple) shows that the SoA is an 'output' document!

I am going to say that the following is all theory, but only because it causes so much angst.

  • Having identified within the scope of your ISMS the source; the cause; the event; and consequence of a risk, and found through analysis and evaluation that it is unacceptable, the business makes the decision to 'treat' the risk in some fashion.
    • It doesn't matter for the moment what area of the information and cyber security space this risk presents itself, it is the response process that is of concern here,
  • The business may decide that given its context, and the scope of the ISMS (and business need) that the most appropriate response will be to modify the level of risk by implementing a control (other options are available of course).
  • The process will be planned (including 'change'), and its progress to implementation tracked within the risk treatment plan (RTP). 
  • All details related to 'this' risk will find their way onto the risk register.
  • At any given point, the statement detailing the status of all controls within scope can be generated at the touch of a button (key stroke).   
  • Given this statement and the RTP a 3rd party (Certifying Body) auditor will sample a number of the stated controls, and track-back to the 'decision making' processes. They are checking to see if the management system is working as required by the standard. 
    • If it is stated that a control has been implemented but in reality it hasn't, then the management system is not working.
  • Irrespective of any 3rd party audit, the senior information risk owner for the business, whether known as the SIRO or perhaps the CFO, CISO, CIO, CTO etc, will be in a position to sign-off on the statement as it will show all applicable 'internal' controls, implemented or being implemented, that address the information and cyber security risk. 
Why the angst?

  • The lack of an effective risk process which results in;
    • the application of controls (measures) as a knee-jerk reaction rather than a methodical approach to managing information and cyber security risk,
    • the fudging of a statement of applicability based upon no decision making process save for checking the wind direction,
  • Believing that Annex A to ISO/IEC 27001:2013 (27K1:13) is the only set of controls that can be used;
    • It is not mandatory,
    • They are out of date,
    • They are only a reference to ensure that no 'necessary controls have been overlooked'. Other control catalogues/lists/references can (and in most cases, should) be used. Indeed, you can create your own if there is a need,
    • Sector based extensions to Annex A can be used, for example; if the business is a Cloud Service Provider, a Broker, a Peer or indeed a Consumer of cloud services. 
There are some rules around the SoA for 27K1:13;
  • It should contain all necessary controls,
  • It conforms to the business's specification of its necessary controls,
  • If a variation on an Annex A control is used, and excludes that actual Annex A control entirely then the business must provide the rationale for exclusion,
  • The SoA must be entitled, the Statement of Applicability. With the exception of the SoA, 27K1:13 does not give names to documents.

On a final note regarding Annex A, and to quote ISO/IEC 27007:2020 (Guidelines for information security management systems auditing):
Necessary controls can be ISO/IEC 27001:2013, Annex A controls, but they are not mandatory. They can be controls taken from other standards (e.g. ISO/IEC 27017) or other sources, or they can have been specially designed by the organization.

If you are looking for further guidance, please get in touch

KanSecurity Ltd (NL)








Popular posts from this blog

Black Swans and other things

-
Image
Back swans and other things. For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security. Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security] . Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question. Why, given the current situation of COVID-19, were many businesses unprepared? The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced
Read more

Personal data or PII

-
Image
PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Offic
Read more

Info and Cybersecurity tips - working from home

-
Image
Working from home - hints and tips Pretty sure you will have seen so many hints lately about working from home, using laptops and so forth.  First, if you have not heard of KanSecurity Ltd - it is based in Carlisle, Cumbria, and in fact has been for a good number of years. As a company it provides, advice; guidance; help; training, on all matters related to information and cybersecurity.  Nigel, the owner, is a veteran [25 years] and has been working in the world of information and cybersecurity for over 30 years. So, work is mainly with larger organisations and businesses BUT, KanSecurity Ltd is here to help micro, small and medium businesses in any way it can.  Lets face it information and cybersecurity is complex, and not always fully understood by your IT Service Provider. KanSecurity works with your IT Service Provider, not against them. So whilst they will do a brilliant job of sorting out IT - is that IT Security, Computer Security, Information Security or Cyb
Read more