There are many sets of controls available, some backed by government, others produced by professional bodies, and still more developed by community organisations.
Control sets are like diets – everyone is looking for a “quick fix”. Some approaches are faddish and incomplete and require huge lifestyle changes. Others require you to pay a third party to make all of the difficult decisionsfor you. Others start with good advice based upon fact, and expect you to interpret it to suit your situation. Unfortunately, just as there is no one menu which will suit us all, there is no one control set which willsufficiently protect every organisation.
Using governmental advice can be a good start, if there is a clear message.
The crucial point of difference between a control set and a diet, where the analogy breaks down, and which explains the fluidity in the information security sector (which far exceeds the confusion even in the nutrition sector) is the rapidly changing and volatile state of technology. Human biology is relatively static. Imagine if a person born thirty years ago was unrecognisable to anyone born twenty years ago, and could not eat the same food or even talk to them.
The more specific and technology-focused a control set is, the more effort it will take to keep it up to date –which is why managing people and business processes can be a better way to manage a risk.
Any organisation seeking to identify a control set to implement should assess it for stability (given the changing nature of technology), suitability for their needs, and other side benefits (e.g. will it make it easy to get government funding?). The control set chosen will almost certainly need to be augmented to fill in the areas where organizational risk tolerance differs from the tolerance of the authors of the control set.
Governmental control sets can be used to improve top level buy-in, as top management may have been contacted by governmental bodies asking for feedback on compliance with the currently popular control set. An example of an initial risk assessment which helped an organisation to raise awareness, gain support from governance and executive bodies and make the case for increased investment in information security controls was to take the CPNI 20 controls and assess: current organisational compliance (rated as red, amber or green), priority for action, actions recommended with cost, timescales and responsibilities.
A note on the ISO/IEC 27001 Statement of Applicability
The Statement of Applicability is one of the documents required to certify to ISO/IEC 27001. It consists of a mapping of the organisation’s list of selected controls to the list of controls in Annex A of ISO/IEC 27001 (which is the same as the controls in ISO/IEC 27002). Every information security control which is used by the organisation (in the environment being certified) should be in this list, even if they do not appear in Annex A of 27001. Justification should be given (briefly) for the inclusion of all implemented controls; and where a control listed in 27001 is not implemented, justification for its omission should also be given.
The purpose of the SOA is mainly to ensure that an organisation has not missed anything. The Annex is not intended to be a control set, or a means of bypassing a risk assessment. A good way to think of it is as a supermarket containing all the foods you can imagine – your list of controls is your shopping list. Going to
this supermarket without a list and buying everything on the shelves will bankrupt you, and leave you with many foods you don’t need or want. Equally, implementing all controls in Annex A of ISO/IEC 27001 will be too expensive for the organisation, and will not meet its needs. That is why the list of controls in Annex A is best ignored until after the organisation has sorted out its list of required controls.