Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Creating and maintaining a statement of applicability

Critical
High
Normal
Low

The Statement of Applicability (SoA) is a key document that defines how an organization implements much of its cyber security.

The statement describes which of the controls recommended by ISO 27001 are implemented in the organization, how they are implemented, and the current state of the controls. In addition, possible reasons for not using certain controls are described.

Connected other frameworks and requirements:
6.1: Information security risk management
ISO 27001
7.5: Requirements for documented information
ISO 27001

Risk management procedure -report publishing and maintenance

Critical
High
Normal
Low

The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:

  • Risk identification methods
  • Methods for risk analysis
  • Criteria for risk evaluation (impact and likelihood)
  • Risk priorisation, treatment options and defining control tasks
  • Risk acceptance criteria
  • Process implementation cycle, resourcing and responsibilities

The task owner regularly checks that the procedure is clear and produces consistent results.

Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
5.1.1: Policies for information security
ISO 27001
ID.GV-4: Processes
NIST CSF
ID.RA-5: Risk evaluation
NIST CSF
ID.RA-6: Risk responses
NIST CSF

Identification and documentation of cyber security risks

Critical
High
Normal
Low

The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:

  • Description of the risk
  • Evaluated impact and likelihood of the risk
  • Tasks for managing the risk or other treatment options
  • Acceptability of the risk
Connected other frameworks and requirements:
T04: Turvallisuusriskien hallinta
4 luku, 13 §: Tietoaineistojen ja tietojärjestelmien tietoturvallisuus
24. Responsibility of the controller
GDPR
5. Principles relating to processing of personal data
GDPR
ID.GV-4: Processes
NIST CSF

Risk level accepted by the organization

Critical
High
Normal
Low

The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.

Connected other frameworks and requirements:
ID.RM-2: Risk tolerance
NIST CSF
ID.RM-3: Informing of risk tolerance
NIST CSF
6.1: Information security risk management
ISO 27001
3.1 (MIL1): Establish and Maintain Cyber Risk Management Strategy and Program
C2M2
No items found.