Warning: include_once(/home/antonaylward/InfoSecBlog/public/wp-content/plugins/wordpress-support/wordpress-support.php): failed to open stream: Permission denied in /home/antonaylward/InfoSecBlog/public/wp-settings.php on line 304

Warning: include_once(): Failed opening '/home/antonaylward/InfoSecBlog/public/wp-content/plugins/wordpress-support/wordpress-support.php' for inclusion (include_path='.:/usr/local/lib/php:/usr/local/php5/lib/pear') in /home/antonaylward/InfoSecBlog/public/wp-settings.php on line 304
Service-oriented architecture « The InfoSec Blog
The InfoSec Blog

Help on ISO-27000 SoA

Posted by Anton Aylward

This kind of question keeps coming up, many people are unclear about the Statement of Applicability on ISO-27000.
The  SoA should outline the measures to be taken in order to reduce risks such as those mentioned in Annex A of the standard. These are based on 'Controls'.

But if you are using closed-source products such as those from Microsoft, are you giving up control?  Things like validation checks and integrity controls are are 'internal'.

Well, its a bit of a word-play.

  • SoA contains exclusions on controls that are not applicable because the organization doesn't deal with these problems (ie ecommerce)
  •  SoA contains exclusions on controls that pose a threat (and risks arise) but cannot be helped (ie A.12.2 Correct processing in applications) and no measures can be taken to reduce these risks.

With this, a record must be present in risk assessments, stating that the risk (even if it is above minimum accepted risk level) is accepted

IBM CIO Report: Key Findings

The key to the SOA is SCOPE.