The smart way to perform information security risk assessments — just answer some questions
Mastering Risk Assessment and the Statement of Applicability
Perform your ISO/IEC 27001 conformant risk assessment, risk treatment and Statement of Applicability in five easy steps:
…an automation of the prescription given in David Brewer’s new book: “ISO/IEC 27001 — Mastering Risk Assessment and the Statement of Applicability” in the form of Software Assistant. The underlying philosophy of the assistant is a subset of the IMS-Smart philosophy and the twelve events are the same as used in IMS-Smart On-Line.
The home screen of the assistant is a dashboard showing just where you are in terms of answering the various questions and other activities necessary to complete the ISO/IEC 27001 risk assessment, treatment and SOA processes.
The screen shots below are taken with different window widths, illustrating the responsiveness of the assistant web pages.
The next screenshot shows an extract from the Answer Risk Questions page. Once all the questions have been answered, your risk assessment is complete. The questions are either multiple-choice questions or questions that require a number for the answer. Number questions are answered by moving a slider.
The following screen shot shows an extract from the Answer Control Questions page. These questions are reproduced from Appendix C of the book. There are over two hundred questions. However, for each one the default answer is “yes”. The alternative answers are “similar” and “no”.
If you answer “similar”, it means that you cannot strictly give the answer “yes” to the given question, but you can answer “yes” to a slightly different question. If you do this (as shown in the screenshot) you are invited to enter that slightly different question. The assistant will use the statement form of your replacement question in the RTP stories and the SOA.
If you answer “no”, and the question corresponds to an ISO/IEC 27001, Annex A control, you will be invited to enter why. Answering “no” causes the exclusion of that Annex A control, and your explanation is used as the reason for exclusion in the Statement of Applicability.
Tweaking the RTP stories
The assistant uses the answers to the control questions to construct twelve Risk Treatment Plan stories. Each of these stories describes a scenario that describes an event and its consequences. The twelve scenarios ensure coverage of the ISO/IEC 27001, Annex A controls. The stories are called:
Each story is divided into three parts:
Each section is made up of control statements, being the statement forms of the questions that you answered “yes”, and the replacement questions you created for those questions to which you gave the answer “similar”.
The assistant knows the mapping between the questions and the RTPs.
Using the RTP editor, you can change the order of the controls in each RTP section and the text that is displayed. You can do this to render the stories more readable.
Changing the display text does not change the underlying statement form of the question nor its linkage to the SOA.
Use the RTP Effectiveness page to record your views on the effectiveness of your risk treatment plans. Review each story in turn, decide how the controls behave together to modify risk and how effective they are at doing that. The assistant will then perform the necessary calculations to determine the residual risks.
Two SOA layouts
ISO/IEC 27001 requires organisations to produce a Statement of Applicability (SOA) that includes the necessary controls and the excluded Annex A controls. Notwithstanding that the standard specifies what the SOA must contain, it does not specify how it should be laid out.
Traditionally, SOAs follow the structure of ISO/IEC 27001, Annex A, listing each Annex A control in turn. As the necessary controls are determined by the organisation through the process of risk treatment (and not selected from Annex A, as was the requirement in the 2005 edition of ISO/IEC 27001), necessary controls do not have to be Annex A controls. A necessary control that is not an ISO/IEC 27001, Annex A control is a custom control (as explained in ISO/IEC 27003). If the specification of a custom control is similar to that of an Annex A control it can be declared as a variant. In this case, the custom control specification replaces the Annex A control specification, but the Annex A control identifier and control name are retained. If the specification is dissimilar to any Annex A control, then it needs its own identifier and name, and is inserted at any appropriate location in the SOA.
An alternative layout is to:
As the input data for both layouts is the same, the assistant permits you to switch easily (at the click of a button) between the two layouts.
An Edit Names facility is provided to allow you to edit the names and provide additional SOA information such as the implementation status of the controls.
Exporting the results
Once all the steps are complete you use the Export Results feature to export the results. If you attempt to export the results before all the necessary steps have been completed, the reports will contain warning messages, identifying what is missing.
The assistant provides administrative facilities for:
Edition managements provides a degree of version control.
Pricing and purchase
The assistant is available on an annual subscription basis for the sum of £9.99 per month (plus applicable taxes). An account will provide you with a 5-user licence, two of which will be classed as administrators. Sales are conducted by our Revenue Delivery Partner, Paddle.com. Sign up for a free-30 day trial first.
If you are interested in learning more about this assistant, please contact us.
The book “ISO/IEC 27001 — Mastering Risk Assessment and the Statement of Applicability” is available now to buy on Amazon. The book explains the method in detail and can be used without the Assistant. However, the Assistant renders the method described in the book far easier to use. The book explains how to access an evaluation copy of the Assistant.
you consent to that site setting authentication session cookies
|© IMS-Smart Limited, 2020-21|
|Page last updated: April 28, 2021|