CHAPTER 11:
STATEMENT OF APPLICABILITY AND RISK TREATMENT PLAN
The completion of the risk assessment and the risk treatment decisions must be documented. This produces two documents:
• Statement of Applicability, and
• Risk Treatment Plan.
The first lists all the controls listed in Annex A of ISO27001 and documents whether or not they have been applied within the ISMS, and also identifies any additional controls that have been applied. The second maps the selected treatments (and the measures by which they are to be implemented) to the specific risks they are intended to address and is, in effect, a control implementation plan.
The Statement of Applicability
As the controls are selected, the Statement of Applicability (‘SoA’) can start being drawn up. The SoA, as specified in ISO27001 clause 4.2.1 - h, documents the decisions reached on each control in the light of the risk assessment and is also an explanation or justification of why any controls that are listed in Annex A have not been selected.14 This exercise, of reviewing the list of controls and documenting the reasons for excluding any that have
not been selected, is a useful cross-check on the control selection process.
The Statement of Applicability will also list those additional controls (ie, not from the Annex A list) that the organization has determined, following its risk assessment, are necessary to counter specifically identified risks. These controls should be listed, either within those control sections whose objectives are supported by the additional controls, or within additional control sections added after those contained in ISO27001 Appendix A. These additional controls should adopt the Appendix A numbering scheme.
The SoA needs to be reviewed on a defined, regular basis and will be one of the first documents that an external auditor will want to see. It is also the document that is used to demonstrate to third parties the degree of security that has been implemented and is referred to, with its issue status, in the certificate of compliance issued by third party accredited certification bodies.
Risk Treatment Plan
Clause 4.2.2 - a of the standard requires the organization to ‘formulate a risk treatment plan that identifies the appropriate management action, responsibilities and priorities for managing information security risks’. Risk treatment is, as we saw earlier, part of the risk management process.
There is a link to ISO27001 clause 5, a substantial clause dealing in detail with management responsibility. The Risk Treatment Plan needs to be documented. It should be set within the context of the organization’s information security policy and it should clearly identify the organization’s approach to risk and its criteria for accepting risk. The risk assessment process must be formally defined and responsibility for carrying it out, reviewing it and renewing it, formally allocated. At the heart of this plan is a detailed schedule, which shows for each identified asset:
• each threat-vulnerability relationship and the associated risk level (from the risk assessment tool);
• the gap between the assessed risk and the acceptable level of risk;
• how the organization has decided to treat the risk (accept, reject, control, transfer);
• the control gap analysis:
– what controls are already in place and their nature (eg, deterrent, preventive, etc);
– what additional controls are considered necessary, and their nature (and details of any supporting cost-benefit analysis);
• the resources required for the task (financial, technical and human);
• the timeframe for implementing the controls.
The Risk Treatment Plan links the risk assessment (contained in the chosen risk assessment tool and its outputs) to the identification and design of appropriate controls, as described in the Statement of Applicability, such that the board-defined approach to risk is implemented, tested and improved. This plan should also ensure that there are adequate funding and resources for implementation of the selected controls and should set out clearly what these are.
The Risk Treatment Plan should also identify the individual competence and broader training and awareness requirements necessary for its execution and continuous improvement.