module 7: 'statement of applicability'iso 27001, 4.2.1 j): 'prepare a statement of applicability'....

1

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

1

Information Security Management System

Module 7:

Statement of Applicability(SoA)

Version 6.0 / MAY-26-2013

2

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

2

Content

● Requirements for SoA● ISO 27001 Annex A● Domains / Objectives / Controls● Creating a SoA

3

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

3

Content


4

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

4

Requirements for SoA (1)

ISO 27001, 4.2.1 j): 'Prepare a Statement of Applicability'. It shall include:● the controls currently implemented● the controls selected in RATP● the justification for exclusion of any controls

in Annex A

5

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

5

Requirements for SoA (2)

The Statement of Applicability provides a summary of decisions concerning risk treatment.

Justifying exclusions provides a cross-check that no controls have been inadvertently omitted.

6

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

6

Content


7

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

7

ISO 27001 Annex A (1)

Remember:ISO 27001 Annex A is normative

8

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

8


Control objectives and controls from these tables shall be selected as part of the ISMS process

Annex A is not exhaustive. Additional control objectives and controls may be necessary

9

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

9


Annex A

InfoSecPolicy

RATP SoA

provides input to...

Audits

10

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

10

Content


11

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

11

Domains/Controls/Objectives

Annex A consists of

– 11 domains– 39 control objectives– 134 controls

12

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

12

Example (1)

Domain A.7 Asset Management

A.7.2 Information Classification

To ensure that informationreceives an appropriate level ofprotection

A.7.2.1 Classification Guidelines A.7.2.2 Information labeling

and handling

Control Objective

Controls

13

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

13

Example (2)

A.7.2.1 Classification Guidelines

Control: Information shall be classified in terms of its value, legal requirements, sensitivity and criticality to the organization

A.7.2.2 Information labeling and handling

Control: An appropriate set of procedures for information labeling and handling shall be developed and implemented in accordance with the classification scheme adopted by the organization

14

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

14

Domains

A.5 Security PolicyA.6 Organization of information securityA.7 Asset ManagementA.8 Human resources securityA.9 Physical and environmental securityA.10 Communications and operations mangementA.11 Access ControlA.12 Information systems aquisition, development and

maintenanceA.13 Information security incident managementA.14 Business continuity managementA.15 Compliance with legal requirements

15

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

15

Objectives (1)

A.5 Security Policy

- Information Security Policy

A.6 Organization of information security

- Internal organization - External parties

A.7 Asset management

- Responsibility for assets - Information classification

16

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

16

Objectives (2)

A.8 Human resources security

- Prior to employment - During employment - Termination or change of employment

A.9 Physical and environmental security

- Secure areas - Equipment security

17

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

17

Objectives (3)

A.10 Communications and operations management

- Operational procedures and responsibilities - Third party service delivery management - System planning and acceptance - Protection against malicious and mobile code - Back-up - Network security management - Media handling - Exchange of information - Electronic commerce services - Monitoring

18

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

18

Objectives (4)

A.11 Access control

- Business requirement for access control

- User access management

- User responsibilities

- Network access control

- Operating system access control

- Application and information access control

- Mobile computing and teleworking

19

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

19

Objectives (5)

A.12 Information systems acquisition, development and maintenance

- Security requirements of information systems

- Correct processing in applications

- Cryptographic controls

- Security of system files

- Security in development and support processes

- Technical vulnerability management

20

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

20

Objectives (6)

A.13 Information security incident management

- Reporting information security events and weaknesses

- Management of information security incidents and improvements

A.14 Business continuity management - Information security aspects of business

continuity management

21

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

21

Objectives (7)

A.15 Compliance - Compliance with legal requirements

- Compliance with security policies and standards, and technical compliance

- Information systems audit considerations

22

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

22

Content


23

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

23

SoA (1)

● For each of the 134 controls there shall be a statement in the SoA– How is the control implemented?

(references to documents)– If it is not implemented: Why not?

24

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

24

SoA (2)

● The SoA is classified as Confidential!

● The SoA is a living document– It shall be updated regularly

● The SoA is required to obtain anISO 27001 certification

25

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

25

Task List

1. Define Scope and Boundaries

2. Define ISMS Policy

3. Risk Assessment

4. Obtain management authorization to

implement and operate the ISMS

5. Prepare a Statement of Applicability

(SoA)

26

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

26

Content


27

Info

rmat

ion

Sec

urity

Man

gem

ent

Sys

tem

Sta

tem

ent

of A

pplic

abili

ty©

Cop

yrig

ht 2

013

Fran

k W

agne

r

27

Module Topic1 Why Information Security?2 Social Engineering3 Introduction to ISMS4 Documentation5 Establishing ISMS6 Risk Management7 Statement of Applicability8 Implementation and Operation of ISMS9 Information Security Awareness10 Information Security Audits

Where are we now?

module 7: 'statement of applicability'iso 27001, 4.2.1 j): 'prepare a statement of applicability'....

Documents