12 Nov

9 Identify applicable objectives and controls

Next, for the risks that you’ve determined to be intolerable, you must take one of the following actions:

  • decide to accept the risk, for example, actions are not possible because they are out of your control (such as natural disaster or political uprising) or are too expensive.
  • transfer the risk, for example, purchase insurance against the risk, subcontract the activity so that the risk is passed on to the subcontractor, etc.
  • reduce the risk to an acceptable level through the use of controls.

To reduce the risk, you should evaluate and identify appropriate controls. These controls might be controls that your organization already has in place or controls that are defined in the ISO 27002  standard.
(Note: An examination of the controls that you already have in place against the standard and then using the results to identify what controls are missing is commonly called a “gap analysis.”)
What you will need:

  • Annex A of ISO 27001. This appendix summarizes controls that you might want to choose from.
  • ISO 27002 , which provides greater detail about the controls summarized in ISO 27001.
  • Procedures for existing corporate controls

Results:
You should end up with two documents by completing this step:

  • A Risk Treatment Plan
  • A Statement of Applicability

The Risk Treatment Plan documents the following:

  • the method selected for treating each risk (accept, transfer, reduce)
  • which controls are already in place
  • what additional controls are proposed
  •  the time frame over which the proposed controls are to be implemented

The Statement of Applicability (SOA) documents the control objectives and controls selected from Annex A. The Statement of Applicability is usually a large table in which each control from Annex A of ISO/IEC 27001 is listed with its description and corresponding columns that indicate whether that control was adopted by the organization, the justification for adopting or not adopting the control, and a reference to the location where the organization’s procedure for using that control is documented. The SOA can be part of the Risk Assessment document; but usually it is a standalone document because it is lengthy and is listed as a required document in the standard. For additional help with creating a Risk Treatment Plan and a Statement of Applicability, refer to the two sets of examples that follow.

Examples of Risk Treatment Plan:
If you used a table as described in the preceding steps, the control analysis portion of your Risk Treatment Plan could be covered by the Control column and the Sufficient Control column, as shown in the following example. Any risks that you transfer to others or that you choose to accept as they are should also be recorded in your treatment plan.

The remaining Risk Treatment Plan requirements could be met by adding this table and by explaining the methods used for treating risk and the time frame in which the controls will be implemented to a Risk Assessment Methodology document, like the one you created in step 5.

Example of Statement of Applicability:

The following is an excerpt of a Statement of Applicability document. The Reference column identifies the location where the statement of policy or detailed procedure related to the implementation of the control is documented.