...
- A completed risk assessment, analysis of the identified risks and prioritisation (ISO/IEC 27001 §6.1.2)
- A list of risk owners
If this is not first time you are thinking about controls then you will need to take into account:
- The effectiveness of previously selected controls
- The results of previous risk assessments
- The evaluation of monitoring and measuring activities
This page aims to address ISO/IEC 27001 §6.1.3 Information Security Risk Treatment
i.e. select treatment options (not necessarily controls - e.g. accept, insure, stop certain activities/behaviour, etc.), determine applicable controls to mitigate risk (ref lists below), produce a statement of applicability for implementing the controls.
Control sets
You will need to decide on what set of controls is most appropriate to use in your organisation. It is from this set that you will select the controls necessary to control risks, and meet internal and external requirements. Sets of controls include:
- ISO/IEC 27001:2013 Annex A
- CIS Critical Security Controls
- The Australian "Essential Eight" maturity model (technical controls)
There may be also be controls specific for your country. The UK specifies five controls for basic cyber hygiene in the Cyber Essentials standard, and controls/objectives for operators of essential services under the NIS Directive are published by NCSC.
...
ISO/IEC 27001 requires that you produce a statement of applicability (SoA). It must contain the necessary controls (those you have chosen and Annex A), detail the controls you have selected and why, and the justification for controls you have excluded from Annex A. Many organisations decide to provide internal and external facing SoAs with different levels of confidential information. Your SoA must be subject to version control.
SOA - Template
| View file | ||||
|---|---|---|---|---|
|
Outputs
- Risk treatment plan
- Statement of applicability
- An understanding of residual risk after control selection
| View file | ||||
|---|---|---|---|---|
|