Information Security Risk Management for ISO27001/ISO27002

CHAPTER 14: THE STATEMENT OF APPLICABILITY

Having conducted the risk assessment and taken decisions regarding the treatment of those assessed risks, the results need to be documented. This produces two documents:

• Statement of Applicability, and

• Risk Treatment Plan.

The first lists all the controls listed in Annex A of ISO27001 and documents whether or not they have been applied within the ISMS, and also identifies additional controls that have been applied. The second maps the selected treatments (and the measures by which they are to be implemented) to the specific risks they are intended to address and is, in effect, a control implementation plan; we discuss this further in Chapter 15.

Drafting the Statement of Applicability

As the ...

Get Information Security Risk Management for ISO27001/ISO27002 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Information Security Risk Management for ISO27001/ISO27002 by Alan Calder, Steve Watkins

CHAPTER 14: THE STATEMENT OF APPLICABILITY

Drafting the Statement of Applicability

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly