Reference no: EM132387129
ITEC854 Security Management
"ISO/IEC 27001:2013 ISMS Status, Statement of Applicability (SoA) and Controls Status (gap analysis) workbook"
Introduction
This spreadsheet is used to record and track the status of your organization as you implement the mandatory and discretionary elements of ISO/IEC 27001.
The main body of ISO/IEC 27001 formally specifies a number of mandatory requirements that must be fulfilled in order for an Information Security Management System (ISMS) to be certified compliant with the standard. All the mandatory requirements for certification concern the management system rather than the information security controls.
For example, the standard requires management to determine the organization's information security risks, assess them, decide how those risks are to be treated, treat them and monitor them, using the policies and procedures defined in the ISMS. It does not mandate specific security controls.
However, Annex A to '27001 outlines a suite of information security controls that the management system would typically be used to manage, provided they are in fact applicable to the organization (which depends on its information security risks). The security controls in Annex A are explained in much more detail in ISO/IEC 27002, and in various other standards, laws, regulations etc.
Instructions
1. Design and implement an ISMS complying with all the mandatory elements specified in the main body of ISO/IEC 27001, using the drop-down selectors on the status column of the mandatory ISMS requirements sheet to track and record its status.
2. Identify and assess the information security risks facing those parts of the organization that are declared in scope for your ISMS, identifying any Annex A controls that are not applicable using the drop-down selectors in the status column of the annex A controls sheet.
3. Systematically check and record the status of your security risks and controls, updating the status column of Annex A sheet accordingly.
4. Once your ISMS is operating normally, the metrics are looking good and you have amassed sufficient evidence ("records"), it can be formally audited for compliance with '27001 by an accredited certification body. They will check that your ISMS fulfills the standard's mandatory requirements, and that your in-scope information security risks are being identified, treated and monitored according to the ISMS policies and procedures. Thereafter, the spreadsheet should both be maintained i.e. updated when the information security risks or controls change, and periodically reviewed/audited.
History and acknowledgements
Bala Ramanan donated the original ISO/IEC 27001:2005 version of the 27001 requirements worksheet. Joel Cort added the SoA worksheet. Gary Hinson hacked it about for publication in the ISO27k Toolkit
Ed Hodgson updated the workbook for ISO/IEC 27001:2013. Gary Hinson fiddled with the wording and formatting, splitting out the metrics and creating a simpler, generic version for the ISO27k Toolkit.
Attachment:- Requirement.rar