This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000.
The SoA should outline the measures to be taken in order to reduce risks such as those mentioned in Annex A of the standard. These are based on 'Controls'.
But if you are using closed-source products such as those from Microsoft, are you giving up control? Things like validation checks and integrity controls are are 'internal'.
Well, its a bit of a word-play.
- SoA contains exclusions on controls that are not applicable because the organization doesn't deal with these problems (ie ecommerce)
- SoA contains exclusions on controls that pose a threat (and risks arise) but cannot be helped (ie A.12.2 Correct processing in applications) and no measures can be taken to reduce these risks.
With this, a record must be present in risk assessments, stating that the risk (even if it is above minimum accepted risk level) is accepted
The key to the SOA is SCOPE.
Don't try to include everything at first.
With as narrow scope its easier to garner support and commitment.
(You can view it the other way round as well, determine what you can initially get support for and limit your scope to that.)
With limited scope there are going to be controls that are not applicable. That's your first case above. Whether you need to state that the controls are not applicable or just note it lest the scope later changes, is really up to you. Sometimes the obvious *does* have to be stated.
Lets not forget "Accepted Risk".
The "Three A" rule covers
- Avoid (you have a control or mitigation)
Don't forget that you can "assign" risk. The most common way of doing that is taking out insurance. This can have many forms, even down to getting someone else to accept the risk 🙂
My belief is "Document *EVERYTHING*".
There are two very obvious reasons for that.
The first is that you have a record of the decision to show the auditor. The second is that there is a record of the decision (and hopefully reasons for that) for whoever inherits this from you. Or even you yourself a year from now when you've forgotten the details.
Oh the number of times in many phases of my career when I've met a situation and thought "now why did they do that, why did they choose that way instead of another". And there were no records as to why. I might be able to see what I think is a better way, but perhaps there were circumstances I am unaware of. Perhaps those circumstances have changed ... or perhaps not. As I keep saying ...
Context is Everything
... and unless you record what that context is then you could be setting
things up for a disaster.
- Why are the ISO 27000 Standards Important to Organizations? (infocus.emc.com)
- Risk Treatment Plan and risk treatment process - What's the difference? (iso27001standard.com)
- The greatest risk - one generally overlooked by risk practitioners (normanmarks.wordpress.com)
- An Open Letter to COSO about Enterprise Risk Management (normanmarks.wordpress.com)
- How much Risk Assessment is needed? (infosecblog.antonaylward.com)