The process of developing the SoA can be mapped to five steps:
1 – Identify and analyse risks
You need to identify all the events that might compromise the confidentiality, integrity and/or availability of an asset that is within the scope of your ISMS. You also need to analyse how the risk might occur, which usually requires you to identify a vulnerability in your asset and a threat that might exploit that vulnerability.
2 – Select controls to treat risks
As part of your risk assessment you will need to mitigate the risks to reduce them to an agreed, acceptable level.
ISO 27001 suggests four ways to treat risks:
- retain (tolerate)
- avoid (terminate)
- share (transfer)
- modify (treat).
Modifying the risk means that you will apply security controls to reduce the impact and/or likelihood of that risk. These controls can be drawn from Annex A of ISO 27001, as well as those contained in other frameworks, such as the Payment Card Industry Data Security Standard (PCI DSS) or NIST SP 800-53.
3 – Plan your risk treatment
The risk treatment plan (RTP) needs to be produced as part of a certified ISO 27001 ISMS. This provides a summary of each of the identified risks, the responses that have been determined for each risk, the risk owners and the target date for applying the risk treatment.
4 – Implement controls
Your SoA should set out a list of all controls recommended by Annex A, together with a statement of whether the control has been applied or not, along with a justification for its inclusion or exclusion. Implementing your selected controls can be a time-consuming task, depending on the gap between your organisation’s actual security level and your risk appetite.
5 – Maintain the SoA
ISO 27001 requires the organisation to continually review, update and improve the ISMS to make sure it is functioning effectively, and that it adjusts to the constantly changing threat environment.
Clause 8.2 in ISO 27001 states that risk assessments should be performed at planned intervals or when significant changes occur.
As part of this, you may find that your organisation reduces its risk appetite and plans to reduce the impact and likelihood of identified risks by identifying new controls. You will need to produce a new SoA each time your organisation carries out a risk assessment. However, the SoA should be maintained between risk assessments so that you have an accurate record of the controls you have selected and whether or not they have been implemented.
Fully aligned with ISO 27001, our Tool streamlines the information risk assessment process and helps you produce consistent, robust and reliable risk assessments year after year.
It can generate six audit-ready reports, including the SoA and RTP. Export, edit and share these reports with ease across your organisation and with auditors.
Find out more >>