The Statement of Applicability
Statement of Applicability can bring on a fear similar to the sounds of the laughing at the end of Michael Jackson’s Thriller, however, once you start to break down this Table of Control Objectives from ISO 27001 it begins to take shape and become a very helpful tool to manage your data security.
More so than in many other standards, in the ISO 27001 Information Security Management System requirements ISO have done a lot of the thinking for you. They even give you the table to use! Lets have a closer look.
It’s all in Section 6.1
The first part is the usual ISO requirement around addressing your Business Risks. Those Internal and External factors that may affect your operations.
Next up is a Security Risk Assessment, in which you define where your tolerance is for certain risks and how you assess them; most organisations are likely to opt for a simple Likelihood and Severity, 1-3, High or Low, whatever suits. Then you assign a category of risk, whether the impact affects Confidentiality, Integrity or Availability.
Once you have your risks, the next part wants you to define and apply your controls, aka risk treatment; basically, enforce processes and procedures prioritising your higher areas of risk. This is where the Statement of Applicability comes in… and it’s attached to the standard as Annex A!!!
- Pick your highest risks based on your risk assessment
- Know what you need to do about them
- Compare your actions with the table provided (aka Annex A, aka Statement of Applicability) to make sure you haven’t missed anything obvious
- Fill it in with your best control measures, and justify any that you aren’t controlling, usually because they simply aren’t applicable to your operations
- Come up with a plan for stuff that you aren’t quite doing yet
- Get everyone on board and accept what risk you’re left with.
And write all of that down. Don’t reinvent the wheel, use the table, and most certifying bodies are offering free templates for the risk assessment, so use the tools that are available. Of course, we’re here too if you need support!!
There are moments when it feels back to front, starting with the Statement rather than the Risk Assessment feels more natural, and you’ll wonder what your own name is, but with a good night’s rest and some strong coffee, you will find it comes together eventually and you’ll feel like you’ve won some kind of battle!
We hope you enjoyed this article and if you have any questions regarding 27001 Certification, Information Security Management System requirement or any area of getting the very best from your Quality Management System please get in contact with us.