The Cornerstone of Your ISMS Statement of Applicability How to develop a Statement of Applicability according to ISO 27001:2013 By Jesper E. Siig Senior Security Advisor at Neupart © 2013 Neupart 1 Introduction The Statement of Applicability (SoA) is a central, mandatory part of the ISO 27001 standard for Information Security Management Systems. In this whitepaper we will look at why it is important, how we develop the Statement of Applicability, and look at some tools to help you develop your Statement of Applicability. So, if you follow the advice in this white paper, you will not only be able to speed up the development of your Statement of Applicability, but also be certain that your work will follow the methodology for implementing an Information Security Management System as prescribed by the ISO 27001:2013 standard. Why Apart from the fact that it is a mandatory part of an Information Security Management System, there are many reasons why it is worth spending time establishing an accurate, updated Statement of Applicability. The Statement of Applicability forms the main link between your risk assessment and the information security you have implemented. The purpose of the Statement of Applicability is to document which controls (security measures) from ISO 27001 Annex A (and thereby the ISO 27002 standard for information security) you will implement, the reason they have been chosen - and for those that have not been chosen - the justification for their exclusion. While the standard does not directly specify this, it has become good practice to also include the following in the Statement of Applicability document: The status of implementation for existing controls A link to the control documentation or a brief description of how each control is implemented A cross-reference to the sources of other requirements, necessitating the controls chosen Thus, by preparing a good quality Statement of Applicability, you will have a thorough and full overview of which controls you need to implement, why they are implemented, how they are implemented, and how well they are implemented. In the following, we will take a look at how you can go about developing your Statement of Applicability. How The Statement of Applicability is the result of numerous activities defined in the planning phase of an ISO 27001 implementation. © 2013 Neupart 2 The two primary sources for the Statement of Applicability are the risk assessment and Annex A of the standard (in reality the Table of Contents of the ISO 27002 standard). Other sources are the controls that currently exist in the organization and external security requirement that the organization has to comply with. Your road to the Statement of Applicability can be illustrated like this: Figure 1. The Road to SoA - and beyond Identify and Analyse Risks To ensure that the controls that are implemented reflect the risks that the organization faces, a risk analysis must be undertaken. The risk analysis starts with an identification of the risks. The identification consists of the following activities 1) 2) Identify the risks associated with the loss of: a. Confidentiality b. Integrity c. Availability Identify the risk owners Secondly the risks must be analysed and evaluated. The analysis consists of the following activities: 3) Assess the potential consequences that would result if the risks identified were to materialize © 2013 Neupart 3 4) 5) 6) Assess the realistic likelihood of the occurrence of the risks identified Determine the levels of risk Compare the analysed risks with the organization’s risk acceptance criteria and establish priorities for treatment Select Controls Where the analysis has determined that the risks are not acceptable, proper action must be taken. The risk treatment options typically are: a) b) c) d) Applying appropriate controls Knowingly and objectively accepting risks Avoiding risks, or Sharing the associated business risks with other parties, e.g. insurers or suppliers For those risks where the option a) above is chosen, proper controls must be selected. Fortunately ISO 27002 provides us with a very good catalogue of control objectives and controls for the treatment of risks as well as good guidance on how to implement the controls. In addition to the risk analysis, numerous other sources may come into play when you select controls. Common sources are: Currently implemented controls Payment Card Industry Data Security Standard (PCI DSS) National data protection laws, based on the EU Data Protection Directive or other legal requirements SANS Twenty Critical Controls for Effective Cyber Defence Other sources may be: Industry-specific regulatory requirements Contractual security requirements Corporate or Group security requirements which a subsidiary must adhere to NIST Security and Privacy Controls for Federal Information Systems and Organizations It is recommended that if the organization wishes to adhere to ISO 27001, the Statement of Applicability is organized according to ISO 27002, and that the various other security requirements are then mapped into the ISO 27002 framework. The Statement of Applicability should for each chosen control document: 1. The source of the requirement which has led to the selection of the control 2. The maturity or level of compliance of the control 3. A reference to where in the source the need for this control is stated OR The reason that the control has not been selected 4. A short description of the control or a reference to where the control is described © 2013 Neupart 4 Analyse Gaps While this is not a strict requirement of the ISO 27001 standard, it is recommended that once the required controls have been selected, a gap analysis is performed to establish the current state of the implementation of the controls. To ensure the evaluation of the controls is consistent and coherent, it is recommended that a commonly accepted maturity level model be selected. Examples of such maturity scales are: The COBIT 4.1 Maturity Model Carnegie Mellon Software Engineering Institute Capability Maturity Model (CMM) The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark Typically the scale for maturity falls in 5 levels: 0. 1. 2. 3. 4. 5. Non-existent Initial/Ad hoc Repeatable but intuitive Defined process Managed and measurable Optimized Writing the Statement of Applicability After having selected the controls and performed a gap analysis on the selected controls, we now have all the information needed to write the Statement of Applicability itself. It is recommended that a structured tool is used to document the Statement of Applicability. That way, it will be possible to work with the content of the Statement of Applicability and, for instance, sort and filter based on compliance level, source for requirements and other parameters. Examples of relevant tools to write the Statement of Applicability are spreadsheets, databases and dedicated ISMS tools, such as SecureAware from Neupart. It should be noted, that the Statement of Applicability must not be a one-off exercise, but must be updated when there are changes to the controls, to the compliance level or to the requirements that necessitate the controls. Plan Risk Treatment As noted in the introduction, the Statement of Applicability is a very central document in the information security management system. After the initial version of the Statement of Applicability has been developed, it will be used both when developing the risk treatment plan and when implementing the controls that have been selected during the ‘Select Controls’ activity. The risk treatment plan could be said to be the organization’s security implementation plan, and the primary goal of the plan is to achieve the organization’s security goals. © 2013 Neupart 5 When planning the implementation the following factors should be considered: 1. 2. 3. 4. 5. What will be done? What resources will be required? Who will be responsible? When will it be completed? How will the results be evaluated? Another important factor to consider when planning the security implementation, is the importance of the controls that are being implemented, so the security activities must be prioritized according to: The consequences associated with the risks The likelihood of the risks Legal and other regulatory requirements Implement Controls Once the risk treatment planning has been done, the actual security work starts. Depending on how wide the gap is between the actual and the necessary security levels, this might be a both work intensive and time consuming task. Therefore it is not unusual to see risk treatment plans that stretch several months or even years. During the implementation of the controls, the maturity of the ISMS is improved, and therefore the Statement of Applicability must be updated according to this progress. Maintaining the Statement of Applicability As noted above, the Statement of Applicability must be continually updated, and Neupart recommends, that previous (major) updates be kept, so that the improvements in control implementation and compliance can be documented. Also, as the organization's risk management approach matures, it is likely that recurring risk assessments may result in updates to the overall risk picture and therefore also to the Statement of Applicability. An updated Statement of Applicability is very useful to document the overall implementation level of the ISMS as well as the effectiveness of the controls that have been implemented. © 2013 Neupart 6 Tools As noted above, it is very useful to use a structured tool to document the Statement of Applicability. Neupart offers a fully-fledged Information Security Management System, SecureAware. SecureAware is developed from the methodology prescribed in ISO 27001 and ISO 27002 as well as the standard for Information Risk Management ISO 27005. SecureAware will help you automate the implementation of your Information Security Management System saving you valuable resources as well as ensuring that your implementation will follow the standards. SecureAware is available as a time limited free trial that allows you to create your Statement of Applicability. If you wish to initiate the implementation of your ISMS without the aid of SecureAware, we have developed a spreadsheet that can be used to document the Statement of Applicability. The spreadsheet is structured as the ISO 27002 controls which means that it corresponds directly with the control objectives and controls included in the ISO 27001 Annex A. The columns in the spreadsheet are as follows: Heading ISO 27002 Control # Identification Source for Requirement: RA Cur. Cont. DPL Compliance Source reference/ Reason for Non-applicability Control Description/ Reference to Control Use Section number Section Title The columns below are example requirements Other sources may be added depending on the organizations needs Risk Assessments Current Controls Contractual requirements Data Protection Law Assess the maturity of the control according to this scale: 5. Optimized 4. Managed and measurable 3. Defined process 2. Repeatable but intuitive 1. Initial/Ad hoc 0. Non-existent Not applicable Either document the reason for applicability by identifying the relevant section in the source for requirement OR Explain why this control is not relevant Either give a short description of the controls OR Give a reference to the description of the control Download the spreadsheet here: www.neupart.com/resources/iso-27001/soa-template © 2013 Neupart 7 References ISO Standard 27001 - Information security management systems - Requirements http://www.iso.org/iso/home/search.htm?qt=27001&sort=rel&type=simple&published=on Payment Card Industry - Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/security_standards/index.php SANS Institute - Twenty Critical Security Controls for Effective Cyber Defence http://www.sans.org/critical-security-controls/ NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf EU Data Protection Directive 95/46/EC http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT Danish Data Protection Law (Persondatalov) https://www.retsinformation.dk/Forms/r0710.aspx?id=828 The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark http://www.digst.dk/Arkitektur-og-standarder/Styring-af-informationssikkerhed-efter-ISO27001/~/media/Files/Arkitektur%20og%20standarder/Informationssikkerhed%20efter%20ISO27001/ISO270 01_Benchmark.ashx Sign up for more insights on Information Security Management. Receive white papers, articles, webinar invitations etc. www.neupart.com/resources/newsletter-signup t © 2013 Neupart 8 What is SecureAware ISMS? Spend less time on security management and get a more precise overview of your security. If you have to comply with standards or best practice for information security, SecureAware gives you improved efficiency and the option to easily assess how much security your organization needs. With SecureAware you no longer need complex spread sheets for risk assessments, and you can avoid using lengthy security manuals in countless versions. Further, SecureAware gives you several shortcuts to ISO 27001, PCI DSS-compliance and others. You will also get a complete overview of your recurring security tasks. That way you can spend less time on security management, or you can choose to spend your consultancy budget on other projects. SecureAware can be used as a full information security management solution or as individual modules. Get more information and a free trial here: www.neupart.com/products Using SecureAware you will get: ISO 27001 Information Security Management System (ISMS) Plan-Do-Check-Act process and Statement of Applicability IT risk management in compliance with ISO 27005 and NIST SP800-37 PCI DSS compliance Policy and security awareness management Cloud vendor analysis based on Cloud Security Alliance GRC Stack Compliance analysis Control of the security functions Business Continuity Planning in accordance with BS 25999 © 2013 Neupart Timesaving templates for security policies, business continuity plans and threat catalogue APIs for data exchange Smart upgrade ensures easy access to new features and content updates Runs on several SQL databases MS Active Directory support with users and groups Available as a software solution or as a service 9 Neupart, an ISO 27001 certified company, provides an all-in-one, efficient IT GRC solution allowing organizations to automate IT governance, risk and compliance management. Whether you need to manage evolving business risks or achieve continuous compliance with PCI DSS, ISO 27001, EU Data Protection Regulations, Cloud Security Alliance Control Matrix, or WLA SCS, Neupart allows you to respond effectively - in the cloud or on the ground. More than 200 organisations worldwide are Neupart customers, including governments, utilities, banks and insurance firms, IT service providers and lotteries. © 2013 Neupart Neupart Hollandsvej 12 DK-2800 Lyngby T: +45 7025 8030 www.neupart.com 10
© Copyright 2024