...
The model for an ISMS as set out in these documents and ISO/IEC 27001 is just a model, and it should not intended to be taken as proscriptive. It is possible to make some of the You can make some decisions related to controls without having first used the your risk management process (8.2), such as control set selection, and . You might do this when thinking about the overall control set or controls needed to meet customer requirements. Some may also prefer It is equally as valid to perform a complete risk assessment before considering what controls may be necessary by the organisation so you may also requirecontrol sets and risk treatment options. You may also require:
- A completed Completed risk assessment
- A list of risk owners
This may not be the If this is not first time you are looking at the choice of controls. You may also wish thinking about controls then you will need to take into account:
- The effectiveness of previously selected controls
- The results of previous risk assessments
- The evaluation of monitoring and measuring activities
Control sets
You will need to make a decision decide on what set of controls is most appropriate to use within in your organisation. From It is from this set of controls, that you will select those the controls necessary to control risks, and meet internal and external requirements. Sets of controls include:
- ISO/IEC 27001:2013 Annex A
- CIS Critical Security Controls
There may be also be control sets controls specific for your country. The UK specifies five controls for basic cyber hygiene in the Cyber Essentials standard, and controls/objectives for operators of essential services under the NIS Directive are published by NCSC.
...
ISO/IEC 27001:2013 allows you to select for the selection of controls from any source , but (you can also create your own controls). However, you must justify the exclusion of any controls from Annex A which you have chosen not to implement, to and ensure that no necessary controls from Annex A are overlooked.
Most Consequently most organisations will chose Annex A as their normal set of controls, with additional controls chosen for particular business requirements. It is unusual for an organisation to do something different to this.
Prioritisation/Triage
When first starting out, or setting up establishing an ISMS, the number of controls you need to implement may be overwhelming. It might be is advisable to focus on the controls necessary needed to address the most important biggest risks, or that provide the greatest overall reduction in risk, and then come back to other controls at a later stage. It . Your NREN is also likely to have existing controls in place, particularly around the operation and monitoring of the network. A good tip is to remember that it is not necessary to get things complete or perfect at the outset - this is what continual improvement is for.
...
ISO/IEC 27001:2013 Annex A can be overwhelming both ourselves as information security practitioners but also to our colleagues. It can appear to be is a very technical and bureaucratic listing bureaucratic list of things that must be done with no direct relationship with to the organisation's objectives, activities, and risks. You should may need to think about how you present controls within your organisation. It You could be a idea to group your selected controls by
...
It is helpful to get input from a wide variety of sources at all levels within your organisation who can present different perspectives and expertise on the choice and implementation of controls. It can be too easy just to focus on the inputs of more technical colleagues.
Selection
All controls must be selected for a reason. The core reason in ISO 27001 is to address a specific risk. The control must do something to reduce the risk.
Controls may also be selected because a customer has asked you to implement it, or because a law or regulation requires it. You should try to understand these external factors in Section 4 of the standard. Selected controls should be implemented in a lawful manner.
Effectiveness
Your selection of controls must be practical for your organisation and staff to implement and understandmanage, otherwise they will not be effective at reducing risk. You should think about how you will monitor and measure the controls as set out in section 9 of the standard.
Non-control
Risk treatment options
Not Non all risks need to be controlled. Some may be acceptable, some may can be transferred or insured against, or the activity leading to the risk may can be stopped. You should pick the most acceptable treatment option, but it is likely that in most cases you will chose to control the risk.
...
ISO/IEC 27001 does not going into any detail on the cost costs of implementing controls, but the controls should be appropriate. You should take assume this to include includes the cost of controls. The cost of a control should be at least less than the expected loss of the risk it is attempting to control. In practice it should a lot much less than this.
Training/Awareness
It is sensible to provide training to those responsible for implementing, managing, or monitoring controls. This training should cover the reasons why the controls are implemented, how they are intended to reduce risk, and the different ways in which the control can be implemented. It is also cab be a useful means way to get feedback on the suitability of controls. Also consider Consider making this training available to your internal auditors.
Selection
All controls must be selected for a reason. The core reason in ISO 27001 is to address a specific risk. The control must do something to reduce this risk.
Controls may also be selected because a customer has asked you to implement it, or because a law or regulation requires it. You should try to understand these external factors in Section 4 of the standard. Selected controls should be implemented in a lawful manner.
This section should have a reference to ISO 27001 chapter 6: planning.
There is a strong relation with the ISO 27001 Statement of Applicability, and the risk based selection of controls. You can use ISO 27002 and its chapters for grouping controls or you can use other groupings that are better suited to your business processes.
Risk acceptance
The selection of controls to treat risks must be accepted by risk owners, and they must also accept any residual risk remaining after treatment. You must have a risk treatment plan that details the risks, selected controls, acceptance by the risk owner, and the implementation of the control (or not - it is fine to have selected a control but not yet implemented it).
Statement of applicability
ISO/IEC 27001 requires that you produce a statement of applicability (SoA). It must contain the necessary controls (those you have chosen AND and Annex A), and detail which the controls you have selected and why, and the justification for controls you have excluded from Annex A. Many organisations decide to provide internal and external facing SoA SoAs with different levels of confidential information. Your SoA must be subject to version control.
Outputs
- Risk treatment plan
- Statement of applicability
- An understanding of residual risk after control selection