Whilst the Statement of Applicability identifies which of the ISO27001 Appendix A controls (and which, if any, additional controls) are to be implemented, it does not prioritise implementation or provide any guidance for how implementation is to be carried out.
Of course, it would be logical for the organisation to tackle and implement controls in the order of priority (i.e. ‘very high’ first) identified through the risk assessment. The controls that are most critical for the organisation will be those that relate to the threats and vulnerabilities that it has identified, through the risk assessment process, as being most serious to its most critical systems.
The reality is that most organisations that set out to achieve ISO27001 certification already have a number of information security measures in place and we touched, in Chapter 13, on the requirement to identify and record the original controls when doing the initial risk assessment. ISO27001 necessitates ensuring that those controls that are in place are adequate and appropriate and that additional required controls are implemented as quickly as possible. In other words, although the standard does not explicitly require one, an analysis of the gap between what is in place and what is required following the risk assessment should be carried out.
This gap analysis can be conducted either bottom-up or top-down. A bottom-up analysis will start with the information gathered during the risk assessment process, about all controls currently in place inside the organisation, and then assess whether or not they are adequate against the requirements of the organisation’s Statement of Applicability and the standard. A top-down approach starts with the controls identified in the Statement of Applicability and assesses, by comparison with the existing controls, the extent to which the new requirements have already been met. The authors’ preferred approach is the top-down one, as this will most quickly identify the critical loopholes in the existing security systems, as well as the controls that are unnecessary and can be eliminated or limited.
The Statement of Applicability will be complete once all the identified risks have been assessed and the applicability of all the identified controls has been considered and documented. Usually, the statement is started before any controls are implemented and completed as the final control is put in place.
The gap analysis is really the essential step in the creation of the Risk Treatment Plan and, when compared to the original ‘benchmark starting point’, can act as a progress report.
Clause 4.2.2 – a of the standard requires the organisation to ‘formulate a risk treatment plan that identifies the appropriate management action, responsibilities and priorities for managing information security risks’. Risk treatment is, as we saw earlier, part of the risk management process.
There is a link to ISO27001 clause 5, a substantial clause dealing in detail with management responsibility. Clearly, the Risk Treatment Plan needs to be documented. It should be set within the context of the organisation’s information security policy and it should clearly identify the organisation’s approach to risk and its criteria for accepting risk, as discussed elsewhere in this book. The risk assessment process must be formally defined and responsibility for carrying it out, reviewing it and renewing it, formally allocated. At the heart of this plan is a detailed schedule, which shows for each identified asset:
• each threat-vulnerability relationship and the associated risk level (from the risk assessment tool);
• the gap between the assessed risk and the acceptable level of risk;
• how the organisation has decided to treat the risk (accept, reject, control, transfer);
• the control gap analysis:
• what controls are already in place and their nature (e.g. deterrent, preventive, etc.);
• what additional controls are considered necessary, and their nature (and details of any supporting cost-benefit analysis);
• the resources required for the task (financial, technical and human);
• the timeframe for implementing the controls.
The Risk Treatment Plan links the risk assessment (contained in the chosen risk assessment tool and its outputs) to the identification and design of appropriate controls, as described in the Statement of Applicability, such that the board-defined approach to risk is implemented, tested and improved. This plan should also ensure adequate funding and resources for implementation of the selected controls and should set out clearly what these are.
The Risk Treatment Plan should also identify the individual competence and broader training and awareness requirements necessary for its execution and continuous improvement.
We see the Risk Treatment Plan as the key document that links both components of the risk management process and all four phases of the PDCA cycle for the ISMS. It is a high-level, documented identification of who is responsible for delivering which risk management objectives, of how this is to be done, with what resources, and how this is to be assessed and improved; but at its core is the detailed schedule describing who is responsible for taking what action, in respect of each risk, to bring it within acceptable levels.
18.116.69.53