The InfoSec Blog

Help on ISO-27000 SoA

Posted by Anton Aylward

This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000.
The  SoA should outline the measures to be taken in order to reduce risks such as those mentioned in Annex A of the standard. These are based on 'Controls'.

But if you are using closed-source products such as those from Microsoft, are you giving up control?  Things like validation checks and integrity controls are are 'internal'.

Well, its a bit of a word-play.

  • SoA contains exclusions on controls that are not applicable because the organization doesn't deal with these problems (ie ecommerce)
  •  SoA contains exclusions on controls that pose a threat (and risks arise) but cannot be helped (ie A.12.2 Correct processing in applications) and no measures can be taken to reduce these risks.

With this, a record must be present in risk assessments, stating that the risk (even if it is above minimum accepted risk level) is accepted

IBM CIO Report: Key Findings

The key to the SOA is SCOPE.

Tagged as: , , , , , , , , , , , , , , , , , Continue reading
   

Availability

I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity

Popular Pages

Categories

Archives

Calendar of Posts

June 2017
M T W T F S S
« Nov    
 1234
567891011
12131415161718
19202122232425
2627282930  

Meta

Security Links