Speed up risk assessment, treatment and SOA production

  
  The third edition of ISO/IEC 27002 was published last February… the new controls are now in ISO/IEC 27001:2022 Annex A which was published on 25 October last
 

Master the ISO/IEC 27001 risk assessment and statement of applicability

Book cover for ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability by David Brewer

There is a new edition of the ISMS standard (ISO/IEC 27001:2022/Amd 1:2024), and you are encouraged to start planning your transition now, if you already have an ISMS, or start using the new standard if not.

Whilst there is very little change to the Information security requirements, one of the most challenging and perplexing aspects of ISO/IEC 27001, particularly for small organisations, is still the requirement to produce a “statement of applicability”. Just as frustrating is the requirement to perform a risk assessment and produce a risk treatment plan. Here is how to can fulfil these requirements with ease. You might also like to learn how you can optimise the rest of your ISMS, showcase and exploit it.

 

IMS-Smart On-Line claims to do this in five easy steps, and is explained in Dr David Brewer’s book “ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability” explains the method in detail, available on Amazon in e-book (£24.99) and paperback formats (price £30.62).

How is this possible?

  • BS 7799-3:2017Information security management systems — Part 3: Guidelines for information security risk management (revision of BS ISO/IEC 27005:2011), Table 4, page 13

    Please note:
    ISO/IEC 27005:2022 (Guidance on managing information security risk) has just been published and incorporates much of BS 7799-3.
    Please also note:
    Whilst ISO/IEC 27001 does not use the term “risk register” (and therefore there is no requirement to have one), the definition of a risk register given in ISO Guide 73 is “record of information about identified risks”. Therefore, a record of the risks that you have identified and assessed in fulfilment of ISO/IEC 27001, Clause 6.1.2, constitutes a risk register. Specifically, the risks identified and assessed in the IMS-Smart On-Line constitutes a risk register.
    presents a set of risks in terms of example event-scenarios and consequences that give coverageThis is an essential property of the chosen event-scenarios. Expand the more detailed explanation accordion to find out why. of the controls in ISO/IEC 27001 Annex A. A fully ISO/IEC 27001 conformant risk assessment can therefore be performed just by estimating the likelihood of the occurrence of each of these events and the severity of their consequences.
  • Once you have determined the controls necessary to mitigate these risks, coverageThis is an essential property of the chosen event-scenarios. Expand the more detailed explanation accordion to find out why. ensures that comparison with the reference controls in ISO/IEC 27001 Annex A is guaranteed not to discover any control that you have inadvertently overlooked.

This approach greatly speeds up the process of risk assessment, risk treatment and production of your statement of applicability.


Want a more detailed explanation?


How can I do this?

To do this you for yourself, you will need to know how the controls in ISO/IEC 27001 Annex A map onto the risk scenarios given in BS 7999-3, or similar. Whilst a clue as to how to do this will be found in the classic Brewer and Nash paper: “Insights into the ISO/IEC 27001 Annex A”, this paper pre-dates the second edition of ISO/IEC 27001. Fortunately however, Dr David Brewer’s book “ISO/IEC 27001:2022 — Mastering Risk Assessment and the Statement of Applicability” provides not only an up-to-date mapping but it also extends the mapping to cover controls derived from the guidance text and control purposes in ISO/IEC 27002.

The book also:

  • presents the questions, the answers to which, will enable you to quickly estimate the inherent risks and thereby complete your risk assessment.
  • casts its reference control set as a series of questions, which will speed up the process of creating your risk treatment plans and the SOA.
  • presents two alternative layouts for the SOA.
  • presents templates for the required risk assessment and risk treatment processes.
  • explains the requirements and presents detailed step-by-step instructions to apply this fast track approach.

The result will be the required documented information for your risk assessment, risk treatment and statement of applicability. The book is available on Amazon in e-book (£24.99) and paperback formats (price £30.62).

If you have any question about IMS-Smart On-Line, ISO/IEC 27001 risk assessment or the Statement of Applicability, just or use the find facility above. We will be pleased to assist.