A blog about GRC (Governance, Risk Management, and Compliance)

The new ISO 27001 is out! How to develop a Statement of Applicability

[fa icon="calendar"] Friday, 11 October 2013 / by Jakob Holm Hansen

The 2022 editions of the widely used standards for information security management, ISO 27001 and 27002 have been updated. The new versions contain a number of improvements that should be of interest to companies that lean towards ISO 27001 or comply with it.


ISO 27001 describes requirements to an Information Security Management System (ISMS). The requirements addresses the same topics as the previous version. The good news is that companies now have more freedom to choose how they will comply with the requirements. More functionality, less form, as one of my colleagues put it.

 

Risk Management = Risk Assessment + Risk Treatment

Risk management is now an even more central part of your ISMS. Risk management consists of a process of risk assessment and a process of risk treatment.

Road to SoA - and beyond


In the new ISO 27001 (and in the old standard as well), a key document is the Statement of Applicability, the SoA. It's new that your SoA is so closely aligned with your risk treatment process. It's also new that your organisation is to appoint Risk Managers. The responsibility of a Risk Manager is to approve your risk treatment plan and your risk tolerance - sometimes referred to as risk appetite.


Your SoA describes what controls are part of your ISMS. You have to justify both control inclusions and exclusions; that's a nice improvement to the standard. As the SoA is or becomes such a central document in your ISMS, we have produced a free guide on how to prepare and maintain your SoA most effectively.


DOWNLOAD How to develop an ISO 27001 Statement of Applicability.


PS! I have a few more ISO 27001 resources for you:
Guide: Measuring ISO 27001 ISMS efficiency with KPIs

 

Emner: risk analysis, gap analysis, Information risk management, Statement of Applicability, SoA, risk treatment, controls, iso iec 27001:2013

GRC blog

The NorthGRC blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts