It is essential that the chosen event-scenarios give coverage of the ISO/IEC 27001, Annex A controls

  Interested in Cyber Essentials? Visit our advert landing page (under Marketplace) and learn how to migrate to partial or full conformity with ISO/IEC 27001, and gain greater control and defensive strength against cybersecurity threats

Master the ISO/IEC 27001 risk assessment and statement of applicability

One of the most challenging and perplexing aspects of ISO/IEC 27001, particularly for small organisations, is the requirement to produce a “statement of applicability”. Just as frustrating is the requirement to perform a risk assessment and produce a risk treatment plan.

IMS-Smart Assistant claims to do this in five easy steps.

How is this possible?

  • BS 7799-3:2017Information security management systems — Part 3: Guidelines for information security risk management (revision of BS ISO/IEC 27005:2011), Table 4, page 13

    Please note:
    ISO/IEC 27005 (Information security risk management) is currently under revision. The first and second editions of this standard (2008 and 2011) were aligned with ISO/IEC 27001:2005 and were due to be replaced with a third edition that would be aligned to ISO/IEC 27001:2013. However, this revision project failed to achieve international consensus. The UK therefore withdraw the 2011 edition and replaced it with BS 7799-3:2017. The third edition of ISO/IEC 27005 (published in 2018) merely recasts the second edition pointing out that it is not aligned to ISO/IEC 27001:2013, and thereby is of little use to anyone who seeks advice on how to fulfil the risk assessment and risk treatment requirements of ISO/IEC 27001:2013. Consequently, the UK never adopted ISO/IEC 27005:2011. Organisations seeking such advice from a British or ISO standard are directed towards BS 7799-3:2017, which is fully aligned to the requirements of ISO/IEC 27001:2013.

    Please also note:
    Whilst ISO/IEC 27001 does not use the term “risk register” (and therefore there is no requirement to have one), the definition of a risk register given in ISO Guide 73 is “record of information about identified risks”. Therefore, a record of the risks that you have identified and assessed in fulfilment of ISO/IEC 27001, Clause 6.1.2, constitutes a risk register. Specifically, the risks identified and assessed in the IMS-Smart Assistant constitutes a risk register.
    presents a set of risks in terms of example event-scenarios and consequences that give coverageThis is an essential property of the chosen event-scenarios. Expand the more detailed explanation accordion to find out why. of the controls in ISO/IEC 27001 Annex A. A fully ISO/IEC 27001 conformant risk assessment can therefore be performed just by estimating the likelihood of the occurrence of each of these events and the severity of their consequences.
  • Once you have determined the controls necessary to mitigate these risks, coverageThis is an essential property of the chosen event-scenarios. Expand the more detailed explanation accordion to find out why. ensures that comparison with the reference controls in ISO/IEC 27001 Annex A is guaranteed not to discover any control that you have inadvertently overlooked.

This approach greatly speeds up the process of risk assessment, risk treatment and production of your statement of applicability.

Want a more detailed explanation?

Book cover for ISO/IEC 27001 — Mastering Risk Assessment and the Statement of Applicability by David Brewer

How can I do this?

To do this you for yourself, you will need to know how the controls in ISO/IEC 27001 Annex A map onto the risk scenarios given in BS 7999-3, or similar. Whilst a clue as to how to do this will be found in the classic Brewer and Nash paper: “Insights into the ISO/IEC 27001 Annex A”, this paper pre-dates the second edition of ISO/IEC 27001. Fortunately however, Dr David Brewer’s book “ISO/IEC 27001 — Mastering Risk Assessment and the Statement of Applicability” provides not only an up-to-date mapping but it also extends the mapping to cover the controls that will be in the new edition of ISO/IEC 27002.

The book also:

  • presents the questions, the answers to which, will enable you to quickly estimate the inherent risks and thereby complete your risk assessment.
  • casts its reference control set as a series of questions, which will speed up the process of creating your risk treatment plans and the SOA.
  • presents two alternative layouts for the SOA.
  • presents templates for the required risk assessment and risk treatment processes.
  • explains the requirements and presents detailed step-by-step instructions to apply this fast track approach.

The result will be the required documented information for your risk assessment, risk treatment and statement of applicability. The book is available on Amazon in e-book (£46.59) and paperback formats (price £35.99), and is enrolled in KDP Unlimited (free to Amazon Kindle Unlimited subscribers).

In addition, we also offer automated support for the processes prescribed in the book. Called the Assistant, this makes it even easier to perform your risk assessment and produce your statement of applicability. Priced at £9.99/month, you can register and try it out for free for 30 days. Using the Assistant, will not only make matters easier for you, but it will allow your to showcase your efforts during certification audits and be able, for example, switch between the modern and traditional SOA layouts at the click of a button. Alternatively, you can have a free anonymous session trial of IMS-Smart Assistant — no credit card data required.

If you have any question about IMS-Smart Assistant, ISO/IEC 27001 risk assessment or the Statement of Applicability, just or use the find facility above. We will be pleased to assist.