07 December 2013

ISO 27001 Risk Assessment or Statement of Applicability – Lack of Hard Examples

Chapter 7 of a Manager’s Guide to Data Security and ISO27001/ISO27002 is about countering risks from external parties. Subsequent chapters cover different subjects and the book moves to giving informed and solid advice about what one should consider in determining how to secure one’s organisation under each of these headings. It breaks down the options clearly and it gives links to further information from directly within the text as opposed to having to hop to an appendix the whole time. It tells you what to consider, where to get information and how to balance priorities.

It gives very little in the way of examples of how these factors have been assessed and applied in a particular situation and the resulting policy, control or document that arises. This is what is preventing me from getting a clear picture of what I need to do from Mr Calder’s book or any other sources. I know enough about IT and about running businesses to see the value in these chapters but I need a hard examples to cement my understanding.

I  remain unable to picture exactly what the Risk Assessment  or Statement of Applicability should look like in reality from the description in Mr Calder’s book. It is a well written book but at this stage it is of limited help to me.

Continuing to plough through the book isn’t going to get me where I want to be so I am going to need to look elsewhere for these hard examples.

Based on historical notes from my diary 

Leave a Reply