The smart way to perform information security risk assessments — just answer some questions

  Master ISO/IEC 27001 risk assessment and the Statement of Applicability with IMS-Smart Assistant

Mastering Risk Assessment and the Statement of Applicability — the IMS-Smart Assistant

Perform your ISO/IEC 27001 conformant risk assessment, risk treatment and Statement of Applicability in five easy steps:

  • Answer questions regarding the characteristics of your organisation, your preferences, the impact of the loss of confidentiality, integrity and availability, and the likelihood that certain events will occur.
  • Answer questions regarding the information security measures that you have in place (or intend to put in place).
  • Review the risk stories and decide how effective they are about reducing your information security risks to an acceptable level.
  • Answer some questions about your necessary information security controls (e.g. their implementation status) and excluded ISO/IEC 27001, Annex A controls.
  • Export the results and incorporate them into your ISMS.

…an automation of the prescription given in David Brewer’s new book: “ISO/IEC 27001 — Mastering Risk Assessment and the Statement of Applicability” in the form of Software Assistant. The underlying philosophy of the assistant is a subset of the IMS-Smart philosophy and the twelve events are the same as used in IMS-Smart On-Line.

NOTE: The publication of the new edition of ISO/IEC 27002 does not impact greatly on your use of this product. The new edition ISO/IEC 27002 controls are already built into this product. Therefore, in using this product you will have already performed that comparision process and will therefore be one step ahead of the game. Any revision to the SOA layouts is likely to be fully automatic and included in your subscription price. When ISO/IEC 27001 is republished, there is likley to be be a period of grace (known as the transistion period) before your necessary controls have to be compared to those in any new Annex A.



The home screen of the assistant is a dashboard showing just where you are in terms of answering the various questions and other activities necessary to complete the ISO/IEC 27001 risk assessment, treatment and SOA processes.

The screen shots below are taken with different window widths, illustrating the responsiveness of the assistant web pages.

Answering questions

The next screenshot shows an extract from the Answer Risk Questions page. Once all the questions have been answered, your risk assessment is complete. The questions are either multiple-choice questions or questions that require a number for the answer. Number questions are answered by moving a slider.

The following screen shot shows an extract from the Answer Control Questions page. These questions are reproduced from Appendix C of the book. There are over two hundred questions. However, for each one the default answer is “yes”. The alternative answers are “similar” and “no”.

If you answer “similar”, it means that you cannot strictly give the answer “yes” to the given question, but you can answer “yes” to a slightly different question. If you do this (as shown in the screenshot) you are invited to enter that slightly different question. The assistant will use the statement form of your replacement question in the RTP stories and the SOA.

If you answer “no”, and the question corresponds to an ISO/IEC 27001, Annex A control, you will be invited to enter why. Answering “no” causes the exclusion of that Annex A control, and your explanation is used as the reason for exclusion in the Statement of Applicability.

Tweaking the RTP stories

The assistant uses the answers to the control questions to construct twelve Risk Treatment Plan stories. Each of these stories describes a scenario that describes an event and its consequences. The twelve scenarios ensure coverage of the ISO/IEC 27001, Annex A controls. The stories are called:

  • S1 – Theft/loss of mobile devices
  • S2 – Office break-in
  • S3 – Acts of God, vandals and terrorists
  • S4 – Software failure
  • S5 – Hardware failure
  • S6 – Power failure
  • S7 – Internet/communications failure
  • S8 – Regular fraud
  • S9 – Hacking
  • S10 – Web DOS
  • S11 – Disclosure
  • S12 – Breach of the law

Each story is divided into three parts:

  • Preventing the event
  • Detecting the event
  • Reacting to the consequence(s).

Each section is made up of control statements, being the statement forms of the questions that you answered “yes”, and the replacement questions you created for those questions to which you gave the answer “similar”.

The assistant knows the mapping between the questions and the RTPs.

Using the RTP editor, you can change the order of the controls in each RTP section and the text that is displayed. You can do this to render the stories more readable.

Changing the display text does not change the underlying statement form of the question nor its linkage to the SOA.


Use the RTP Effectiveness page to record your views on the effectiveness of your risk treatment plans. Review each story in turn, decide how the controls behave together to modify risk and how effective they are at doing that. The assistant will then perform the necessary calculations to determine the residual risks.

Two SOA layouts

ISO/IEC 27001 requires organisations to produce a Statement of Applicability (SOA) that includes the necessary controls and the excluded Annex A controls. Notwithstanding that the standard specifies what the SOA must contain, it does not specify how it should be laid out.

Traditionally, SOAs follow the structure of ISO/IEC 27001, Annex A, listing each Annex A control in turn. As the necessary controls are determined by the organisation through the process of risk treatment (and not selected from Annex A, as was the requirement in the 2005 edition of ISO/IEC 27001), necessary controls do not have to be Annex A controls. A necessary control that is not an ISO/IEC 27001, Annex A control is a custom control (as explained in ISO/IEC 27003). If the specification of a custom control is similar to that of an Annex A control it can be declared as a variant. In this case, the custom control specification replaces the Annex A control specification, but the Annex A control identifier and control name are retained. If the specification is dissimilar to any Annex A control, then it needs its own identifier and name, and is inserted at any appropriate location in the SOA.

An alternative layout is to:

  • split the SOA into two parts, declaring all necessary controls in the first and all excluded Annex A controls in the second part
  • give every necessary control a non-Annex A identifier and name (of your choice)
  • structure the first part according to whether the control is classed as being organisational, people, physical or technological
  • provide the mapping between the necessary controls and the Annex A controls

As the input data for both layouts is the same, the assistant permits you to switch easily (at the click of a button) between the two layouts.

An Edit Names facility is provided to allow you to edit the names and provide additional SOA information such as the implementation status of the controls.

Exporting the results

Once all the steps are complete you use the Export Results feature to export the results. If you attempt to export the results before all the necessary steps have been completed, the reports will contain warning messages, identifying what is missing.

Administrative facilities

The assistant provides administrative facilities for:

  • Edition management
  • Adding and deleting users
  • Changing roles
  • Changing, unblocking and resetting passwords
  • Logging on and logging off

Edition managements provides a degree of version control.

Pricing and purchase

The assistant is available on an annual subscription basis for the sum of £9.99 per month (plus applicable taxes). An account will provide you with a 5-user licence, two of which will be classed as administrators. Sales are conducted by our Revenue Delivery Partner, Sign up for a free-30 day trial first. Alternatively, take advantage of a free session trial.

If you are interested in learning more about this assistant, please contact us.

The book “ISO/IEC 27001 — Mastering Risk Assessment and the Statement of Applicability” is available now to buy on Amazon. The book explains the method in detail and can be used without the Assistant. However, the Assistant renders the method described in the book far easier to use. The book explains how to access an evaluation copy of the Assistant.