Inputs/prerequisites/requirements
- Understand the context and internal and external requirements of the organisation (ISO/IEC 27001 section 4)
- A defined risk management process (ISO/IEC 27001 section 6)
The model for an ISMS as set out in these documents and ISO/IEC 27001 is just a model, and it should not be taken as proscriptive. It is possible to make some of the decisions related to controls without having first used the risk management process (8.2), such as control set selection, and controls needed to meet customer requirements. Some may also prefer to perform a complete risk assessment before considering what controls may be necessary by the organisation so you may also require
- Completed risk assessment
- A list of risk owners
This may not be the first time you are looking at the choice of controls. You may also wish to take into account
- The effectiveness of previously selected controls
- The results of previous risk assessments
- The evaluation of monitoring and measuring activities
Control sets
You will need to make a decision on what set of controls is most appropriate to use within your organisation. From this set of controls, you will select those controls necessary to control risks, and meet internal and external requirements. Sets of controls include:
...
Your selection of controls must be practical for your organisation and staff to implement and understand, otherwise they will not be effective. You should think about how you will monitor and measure the controls as set out in section 9 of the standard.
Non-control
Non all risks need to be controlled. Some may be acceptable, some may be transferred or insured against, or the activity leading to the risk may be stopped. You should pick the most acceptable treatment option, but it is likely that in most cases you will chose to control the risk.
Cost
ISO/IEC 27001 does not going into any detail on the cost of implementing controls, but the controls should be appropriate. You should take this to include the cost of controls. The cost of a control should be at least less than the expected loss of the risk it is attempting to control. In practice it should a lot less than this.
Training/Awareness
It is sensible to provide training to those responsible for implementing, managing, or monitoring controls. This training should cover the reasons why the controls are implemented, how they are intended to reduce risk, and the different ways in which the control can be implemented. It is also a useful means to get feedback on the suitability of controls. Also consider making this training available to your internal auditors.
...
There is a strong relation with the ISO 27001 Statement of Applicability, and the risk based selection of controls. You can use ISO 27002 and its chapters for grouping controls or you can use other groupings that are better suited to your business processes.
Risk acceptance
The selection of controls to treat risks must be accepted by risk owners, and they must also accept any residual risk. You must have a risk treatment plan that details the risks, selected controls, acceptance by the risk owner, and the implementation of the control or not.
Statement of applicability
ISO/IEC requires that you produce a statement of applicability (SoA). It must contain the necessary controls (those you have chosen AND Annex A), and detail which you have selected and why, and the justification for controls you have excluded from Annex A. Many organisations decide to provide internal and external facing SoA with different levels of confidential information.
Outputs
- Risk treatment plan
- Statement of applicability
- An understanding of residual risk after control selection