Questions about risk
Whilst attending your ISO/IEC 27001 Lead implementer course, the following question (which actually consists of two subquestions) has arisen:
After risk assessment (in which I have considered also already implemented controls in order to reduce likelihood and/or impact) I still have a small number of unacceptable risks (i.e. with high-risk level).
Now I have to choose between available risk treatment options. I decide to apply further controls (although I think I could also choose risk acceptance as a risk treatment option and as a result to simply live with risks due to my risk appetite). I pick up 2-3 applicable controls (although there are more applicable controls in Annex A which I do now wish to adopt) from Annex A which will be implemented in the risk treatment plan later on.
First subquestion: Is my thinking process aligned with ISO/IEC 27001 requirements?
Second subquestion: I now have to create the statement of applicability. Can I only consider (in the SoA) those controls which I have considered as significant for reducing my unacceptable risks OR is it mandatory to implement also controls (from Annex A) which I regard (according to my opinion) as not really useful or which I simply do not wish to apply?
Assign topic to the user
1 - First subquestion: Is my thinking process aligned with ISO/IEC 27001 requirements?
Your thinking process follows the standard's requirements.
2 - Second subquestion: I now have to create the statement of applicability. Can I only consider (in the SoA) those controls which I have considered as significant for reducing my unacceptable risks OR is it mandatory to implement also controls (from Annex A) which I regard (according to my opinion) as not really useful or which I simply do not wish to apply?
You have to include all controls from Annex A in the SoA, but you do not have to state as applicable all possible controls related to a risk you decided to treat. You only have to pay attention to the justification for not applying a control (you have to justify both applicable and non-applicable controls).
So, from the anwer to the question I conclude that if someone decides to choose \"risk acceptance\" (e.g. due to insufficient resources, or because risk mitigation is considered as very time consuming and also costly) as the only risk treatment option for all unacceptable risks (according to the risk level), then ALL controls (although theoretically and logically applicable to the unacceptable risks) can (in the Statement of Applicability) be considered as non applicable (with the justification \"relevant risks have been considered as accepted according to one of the available risk treatment options\") and they will not be implemented. This would result to a very \'light\' Statement of Applicability, though. Could a certification body consider this as (major) non-conformity? Thank you.
In general, considering all controls as non-applicable would be a major nonconformity against the clauses 4.4 (Information security management system), 8.1 (Operational planning and control), and 10.2 (Continual improvement).
This article will provide you a further explanation about risk appetite:
- Risk appetite and its influence over ISO 27001 implementation https://advisera.com/27001academy/blog/2014/09/08/risk-appetite-influence-iso-27001-implementation/
Comment as guest or Sign in
Apr 30, 2020