ISO 27001 is the working standard and it contains 7 main sections
- Normative References
- Terms and definitions
- Context of the Organisation
- Performance Evaluation
Put very simply, ISO 27001 is a declaration of an organisations ability to demonstrate its capability to consistently protect information security and to satisfy its customers’ information security needs.
Risk AssessmentsRisk assessments must be carried out on important parts of the organisation; risks evaluated and a risk treatment plan established to mitigate the risk. Where medium risks cannot be reduced then it is permitted to accept the risk based on certain criteria.
Risk assessments have been carried out on each asset.
The methodology used identifies the Asset Value:
- Low value to the business
- Moderate importance to the business
- Highly important to the business
Following the risk assessment the results are reviewed at an ISMS Forum meeting.
Scores are either confirmed or adjusted as necessary.
Items which are seen as high risk are addressed with the highest priority.
Risk assessments are revisited and actions taken as necessary. Issues which are identified in the interim as high risk will be addressed immediately if, in the opinion of management, delay would be detrimental to the company.
Statement of ApplicabilityThe Statement of Applicability (S.O.A) is a document that is available to the public and is attached to the Certificate of compliance issue by the Certification Body. It details all the elements of the standard that are applicable, and those which are excluded and a justification for exclusions.
Annex A of ISO 27001 contains all the controls applicable to an application.
Clearly not all organisations will apply all elements of the Standard and this document details which are used.
The S.O.A is version controlled and any change must be notified to the Certification Body.