I have been examining the ISO 27001 Standard Document itself and feeling rather overwhelmed and that I am bashing my head against a brick wall.
I begin to rethink my strategy and flick backwards quickly to page 5. This is where the ‘Statement of Applicability’ is mentioned. This ties together the list of Controls and Objectives – the list of practical things one need to do to implement the standard – with the content of the standard itself so its probably a good place to start. There is a lot about Risk Assessment before the Statement of Applicability which I don’t understand but I can come back to them later. I’ve got the Statement of Applicability as a short term objective – a buoy to swim towards that perhaps I can cling onto for a while. So I type “Statement of Applicability ISO27001″ into Google and start trawling through the results.
Almost immediately I come across http://www.iso27001security.com/. By its basic but functional design this site just looks like the kind of site that could cut to the chase and ‘deal the deal’. There are a few scary bits like mentions of other ISO27002, ISO 27003 but what catches my eye immediately after this is a FREE ISSO27k toolkit. Amazingly, I don’t even have to register on the site to get access to it.
I spend quite a while opening documents up on the site and reading them. The documents here have been developed by ISO 27001 implementers and then put up on the site. This site clearly doesn’t offer a complete toolkit or total solution to my problems but it does give applied examples of certain documents and there is comparatively little in the way of guff. Most of the contributions are made by two individuals but there are other contributors too.
The fourth document I open off the site is a Statement of Applicability. This is a blank template – which is not populated with data – but I still get the jist – more than having see an actual example of one, I quickly see its primary purpose. The list is a spreadsheet for all the Controls and Objectives listed in Appendix A of the standard. There are several columns and notes I don’t understand yet but clearly what one has to do is go through each of these 120 or so items and record what one has done to cover them off in one’s own organisation.
Against each row is a “Controls” column and a “Selected Controls” and a “Reasons for Selection” group of columns. Reasons for Selection are broken down into four types ‘LR: legal requirements, CO: contractual obligations, BR/BP: business requirements/adopted best practices, RRA: results of risk assessment, TSE: to some extent.
On the right there’s a ‘Remarks (Overview of implementation)’ column where one should record the to the specific action taken to meet the control. This could be introducing a swipe card system on doors, creating a written policy or implementing a procedure to verify the destruction of hard drives.
I don’t get the whole picture yet, but what I do get is that the ISO 27001 Standards sets a defined series of things called “controls” with which my data destruction company needs to comply. I will need to go through this list one by one and check that I can practically meet them.
The buoy I spotted in the distance has turned out to be a rubber ring. Thanks to this I am now riding higher in the water and time to float home for the night.