01 December 2013

Information Security Scope the Risk Assessment and Statement of Applicability

I had an automated email from Alan Calder the author of the IT Governance Toolkit today. Alan tells me that I get five times more content in the full version. Well that’s shrunk by half from a couple of days ago. “Maybe he’ll reduce his prices accordingly,” I think fleetingly. Then I realize the follow up email adds some value but he’s really just stoking up the pressure so that I buy the Toolkit.

Chapter 4 of A Manager’s Guide to Data Security and ISO27001/ISO2700 is about the organisation of information security. I am beginning to see the value in this book. Mr Calder does a thorough job in explaining the various individuals and committee or groups who will have responsibilities for the implementation of an ISMS in a large organisation. He explains what their roles should be and the competences required. Also buried in the text are some references or web links for further information. For example, he mentions the 3 magazines he believes to be the most useful magazines to read: SC Magazine, Infosecurity Today and Information Security. This is really, really useful up to date information.

The difficulty for me is that most of this information is not relevant to me. I am not running a large corporate but a business which will only have a handful of employees to start. I still need to know what practically I have to do to to get this certification or whether it just isn’t going to be possible.

The title of chapter 6 is more promising. Its about two things I don’t have much experience of – Risk Assessment and Statement of Applicability.

There are a few sentences that spring out from the page. These include: “for every control that the organisation might implement, the calculation would be that the cost of implementation would be outweighed, preferably significantly, by the economic benefits that derive from, or economic losses that are avoided as a result of, its implementation”. In other words there is a clear indication of a “reasonableness” judgement here. In that case a small organisation might be excused from certain requirements on account of its size. I have been told that ISOs can apply to any organisation. However, I am not sure if there are actually minimum technical or staffing requirements which must be met and, if so, what are they?

Mr Calder then goes on about Quantative Risk Analysis and its Elements. I switch off again – if only he’d give an example of one he did before (like Blue Peter) then I’d grasp it so much more quickly than I would reading the theory behind the process and a description of it with no example to hand.

Key sentence number two: “Controls are countermeasures to risks.” Great, nice, concise …. but it doesn’t stay simple for long. Controls can either be directive, preventative, detective, corrective or recovery controls.

Key sentence number 3 “the Standard.. requires the organisation to select appropriate control objective sand controls …it clearly invites organisation to do this exhaustively..” The word “invite” normally has an enjoyable indirect object I think to myself eg a party. It doesn’t here.

Based on historical notes from my diary

Leave a Reply