Next, for the risks that you’ve determined to be intolerable, you must take one of the following actions:
To reduce the risk, you should evaluate and identify appropriate controls. These controls might be controls that your organization already has in place or controls that are defined in the ISO 27002 standard.
(Note: An examination of the controls that you already have in place against the standard and then using the results to identify what controls are missing is commonly called a “gap analysis.”)
What you will need:
You should end up with two documents by completing this step:
The Risk Treatment Plan documents the following:
The Statement of Applicability (SOA) documents the control objectives and controls selected from Annex A. The Statement of Applicability is usually a large table in which each control from Annex A of ISO/IEC 27001 is listed with its description and corresponding columns that indicate whether that control was adopted by the organization, the justification for adopting or not adopting the control, and a reference to the location where the organization’s procedure for using that control is documented. The SOA can be part of the Risk Assessment document; but usually it is a standalone document because it is lengthy and is listed as a required document in the standard. For additional help with creating a Risk Treatment Plan and a Statement of Applicability, refer to the two sets of examples that follow.
Examples of Risk Treatment Plan:
If you used a table as described in the preceding steps, the control analysis portion of your Risk Treatment Plan could be covered by the Control column and the Sufficient Control column, as shown in the following example. Any risks that you transfer to others or that you choose to accept as they are should also be recorded in your treatment plan.
The remaining Risk Treatment Plan requirements could be met by adding this table and by explaining the methods used for treating risk and the time frame in which the controls will be implemented to a Risk Assessment Methodology document, like the one you created in step 5.
Example of Statement of Applicability:
The following is an excerpt of a Statement of Applicability document. The Reference column identifies the location where the statement of policy or detailed procedure related to the implementation of the control is documented.