May 04 2025

ISO 27001’s Outdated SoA Rule: Time to Move On

Category: Information Security,ISO 27kdisc7 @ 11:54 am

  1. Current Requirement in ISO 27001
    ISO 27001 currently mandates that the SoA must include justifications for both the inclusion and exclusion of each Annex A control. This requirement is often interpreted to mean that organizations must provide individual reasoning for every control listed or omitted.
  2. Guidance from ISO 27005:2022
    ISO 27005:2022 clarifies that only controls identified through risk assessment and treatment planning should be included in the SoA. These controls are selected because they help reduce risk to acceptable levels. The guidance explicitly states that no further justification is necessary for their inclusion.
  3. Exclusion Justification Also Redundant
    By extension, the only valid reason for excluding a control is that it was not identified as necessary in the risk treatment plan. If a control does not mitigate any identified risk, there is no need for it to appear in the SoA, and thus, no detailed justification is required.
  4. Controls Must Be Risk-Driven
    Controls exist to manage or modify risks. Including or excluding them must be directly based on whether they are necessary for risk treatment. Requiring extra justification, separate from the risk assessment, is logically inconsistent with the function of controls within an ISMS.
  5. Recommendation to Remove the Justification Requirement
    Given this risk-based logic, the recommendation is to eliminate the need for detailed justifications of inclusions or exclusions in the SoA. This requirement appears to be an error or legacy clause in ISO 27001 that contradicts more recent guidance.
  6. Alignment with ISO 27005 and Future ISO 27003
    This position aligns with ISO 27005:2022, which supports a simplified, risk-driven approach to the SoA. It is anticipated that the upcoming ISO 27003 update will reinforce this same guidance, helping to resolve the inconsistency across standards.
  7. Practical Experience Supports the Change
    Despite popular belief, individualized justifications are not essential. The author has implemented many ISO 27001-certified ISMSs over the past decade without providing such justifications—and all achieved certification successfully.
  8. Simplified SOA Approach Recommended
    The SOA should only list necessary controls derived from the risk assessment, with no additional rationale needed for inclusion or exclusion. Controls not identified as necessary should simply not be listed, and the SOA should remain tightly aligned with the risk treatment plan.

Source: ISO27001 suggested change 13

ISO 27001 Compliance: Reduce Risks and Drive Business Value

ISO 27001:2022 Risk Management Steps


How to Continuously Enhance Your ISO 27001 ISMS (Clause 10 Explained)

Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.

ISO 27001 Compliance and Certification

ISMS and ISO 27k training

Security Risk Assessment and ISO 27001 Gap Assessment

At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.

Here’s how we help:

  • Conduct gap assessments to identify compliance challenges and control maturity
  • Deliver straightforward, practical steps for remediation with assigned responsibility
  • Ensure ongoing guidance to support continued compliance with standard
  • Confirm your security posture through risk assessments and penetration testing

Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.

ISO 27001 certification validates that your ISMS meets recognized security standards and builds trust with customers by demonstrating a strong commitment to protecting information.

Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.

Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.

Get in touch with us to begin your ISO 27001 audit today.

ISO 27001:2022 Annex A Controls Explained

Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Many companies perceive ISO 27001 as just another compliance expense?

ISO 27001: Guide & key Ingredients for Certification

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: iso 27001, ISO 27001 2022, SoA, Statement of Applicability

Mar 07 2025

Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Applicability?

Category: ISO 27k,Risk Assessment,Security controls,Security Risk Assessmentdisc7 @ 6:59 am

“The SOA can easily be produced by examining the risk assessment to identify the necessary controls and risk treatment plan to identify those that are planned to be implemented. Only controls identified in the risk assessment can be included in the SOA. Controls cannot be added to the SOA independent of the risk assessment. There should be consistency between the controls necessary to realize selected risk treatment options and the SOA. The SOA can state that the justification for the inclusion of a control is the same for all controls and that they have been identified in the risk assessment as necessary to treat one or more risks to an acceptable level. No further justification for the inclusion of a control is needed for any of the controls.”

This paragraph from ISO 27005 explains the relationship between the Statement of Applicability (SoA) and the risk assessment process in an ISO 27001-based Information Security Management System (ISMS). Here’s a breakdown of the key points:

  1. SoA Derivation from Risk Assessment
    • The SoA must be based on the risk assessment and risk treatment plan.
    • It should only include controls that were identified as necessary during the risk assessment.
    • Organizations cannot arbitrarily add controls to the SoA without a corresponding risk justification.
  2. Consistency with Risk Treatment Plan
    • The SoA must align with the selected risk treatment options.
    • This ensures that the controls listed in the SoA effectively address the identified risks.
  3. Justification for Controls
    • The SoA can state that all controls were chosen because they are necessary for risk treatment.
    • No separate or additional justification is needed for each individual control beyond its necessity in treating risks.

Why This Matters:

  • Ensures a risk-driven approach to control selection.
  • Prevents the arbitrary inclusion of unnecessary controls, which could lead to inefficiencies.
  • Helps in audits and compliance by clearly showing the link between risks, treatments, and controls.

Practical Example of SoA and Risk Assessment Linkage

Scenario:

A company conducts a risk assessment as part of its ISO 27001 implementation and identifies the following risk:

  • Risk: Unauthorized access to sensitive customer data due to weak authentication mechanisms.
  • Risk Level: High
  • Risk Treatment Plan: Implement multi-factor authentication (MFA) to reduce the risk to an acceptable level.

How This Affects the SoA:

  1. Control Selection:
    • The company refers to Annex A of ISO 27001 and identifies Control A.9.4.1 (Use of Secure Authentication Mechanisms) as necessary to mitigate the risk.
    • This control is added to the SoA because the risk assessment identified it as necessary.
  2. Justification in the SoA:
    • The SoA will list A.9.4.1 – Secure Authentication Mechanisms as an included control.
    • The justification can be:
      “This control has been identified as necessary in the risk assessment to mitigate the risk of unauthorized access to customer data.”
    • No additional justification is needed because the link to the risk assessment is sufficient.
  3. What Cannot Be Done:
    • The company cannot arbitrarily add a control, such as A.14.2.9 (Protection of Test Data), unless it was identified as necessary in the risk assessment.
    • Adding controls without risk justification would violate ISO 27005’s requirement for consistency.

Key Takeaways:

  • Every control in the SoA must be traceable to a risk.
  • The SoA cannot contain controls that were not justified in the risk assessment.
  • Justification for controls can be standardized, reducing documentation overhead.

This approach ensures that the ISMS remains risk-based, justifiable, and auditable.

DISC InfoSec Previous posts on ISO27k

ISO certification training courses.

ISMS and ISO 27k training

Difference Between Internal and External Audit

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services

Tags: #InfoSec, #RiskAssessment, AnnexA, Information Security Management System, isms, iso 27001, Risk management, security controls, SoA

Aug 30 2024

How to manage information in the cloud: Best practice frameworks

Category: Cloud computingdisc7 @ 10:13 am

It’s predicted that more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud during the next five years. This is no surprise as the cloud is one of the main digital technologies developing in today’s fast-moving world. It’s encouraging that CEOs recognize that it’s crucial for them to champion the use of digital technologies to keep up with today’s evolving business environment.

However, there are still concerns about using cloud services and determining the best approach for adoption. It’s important to acknowledge that adapting to emerging technologies can be challenging, particularly with the constantly expanding range of products and services. As a business improvement partner, DISC collaborates with clients to identify key drivers and develop best practice standards that enhance resilience.

What Influences Organizations to Store Information on the Cloud?

Organizations should align their business strategy and objectives to determine the most suitable approach to cloud computing. This could involve opting for public cloud services, a private cloud, or a hybrid cloud solution, depending on their resources and priorities.

Security concerns remain the leading barrier to cloud adoption, especially with public cloud solutions. In fact, 91% of organizations are very or moderately worried about the security of public cloud environments. These concerns are not limited to IT departments; 61% of IT professionals believe that cloud data security is also a significant concern for executives.

Despite these challenges, many organizations are influenced by the benefits of managing information on the cloud. These benefits include:

  • Agility: you can respond more quickly and adapt to business changes
  • Scalable: cloud platforms are less restrictive on storage, size, number of users
  • Cost savings: no physical infrastructure costs or charges for extra storage, exceeding quotas etc
  • Enhanced security: standards and certification can show robust security controls are in place
  • Adaptability: you can easily adjust cloud services to make sure they best suit your business needs
  • Continuity: organizations are using cloud services as a backup internal solution

Standards to help you Manage Information on the Cloud

Standards that focus on putting appropriate frameworks and controls in place to manage cloud security.

ISO/IEC 27001 international standard for an Information security management system (ISMS). It is the foundation of all our cloud security solutions. It describes the requirements for a best practice system to manage information security including understanding the context of an organization, the responsibilities of top management, resource requirements, how to approach risk, and how to monitor and improve the system.

It also provides a generic set of controls required to manage information and ensures you assess your information risks and control them appropriately. It’s relevant to all types of organizations regardless of whether they are involved with cloud services or not, to help with managing information security against recognized best practices.

ISO/IEC 27017 is an international code of practice for cloud security controls. It outlines cloud-specific controls to manage security, building on the generic controls described in ISO/IEC 27002. It’s applicable to both Cloud Service Providers (CSPs) and organizations procuring cloud services.

It provides support by outlining roles and responsibilities for both parties, ensuring all cloud security concerns are addressed and clearly owned. Having ISO/IEC 27017 controls in place is especially important when you procure cloud services that form part of a service you sell to clients.

ISO/IEC 27018 is an international code of practice for Personally Identifiable Information (PII) on public clouds. It builds on the general controls described in ISO/IEC 27002 and is appropriate for any organization that processes PII. This is particularly important considering the changing privacy landscape and focus on protecting sensitive personal data.

All businesses need to continually evolve their cybersecurity management in order to effectively manage the cyber risks associated with cloud use. Request to learn more.

Adopt these standards today to ensure your organization effectively manages data in the cloud.

How to build a world class ISMS:

ISO 27001 serves as the foundation for ISO 27017, ISO 27018, and ISO 27701.

After conducting the risk assessment, it’s essential to compare the controls identified as necessary with those listed in Annex A to ensure no important controls were overlooked in managing the risks. This serves as a quality check for the risk assessment, not as a justification for using or not using any controls from Annex A. This process should be done for each risk identified in the assessment to see if there are opportunities to enhance it.

Any controls that you discover were unintentionally “omitted” from the risk assessment can come from any source (NIST, HIPAA, PCI, or CIS Critical Security Controls) and are not restricted to those in Annex A.

One should consider CIS Controls to strengthen one of the above frameworks when building your ISMS. CIS Controls is updated frequently than frameworks and are highly effective against the top five attack types found in industry threat data, effectively defending against 86% of the ATT&CK (sub)techniques in the MITRE ATT&CK framework.

Statement of Applicability (SoA) is typically developed after conducting a risk assessment in ISO 27001. The risk assessment identifies the information security risks that the organization faces and determines the appropriate controls needed to mitigate those risks.

In ISO 27001, the Statement of Applicability (SoA) is a key document that outlines which information security controls from Annex A ( or from (NIST, HIPAA, PCI, or CIS Critical Security Controls)) are applicable to an organization’s Information Security Management System (ISMS). The SoA provides a summary of the controls selected to address identified risks, justifies why each control is included or excluded, and details how each applicable control is implemented. It serves as a reference to demonstrate compliance with ISO 27001 requirements and helps in maintaining transparency and accountability in the ISMS.

The SoA is essential for internal stakeholders and external auditors to understand the rationale behind the organization’s approach to managing information security risks.

Cloud shared responsibilities:

Most companies appear to be operating in the hybrid or public cloud space, often without fully realizing it, and need to gain a better understanding of this environment.

Cloud shared responsibilities refer to the division of security and compliance responsibilities between a cloud service provider (CSP) and the customer. This model outlines who is responsible for specific aspects of cloud security, depending on the type of cloud service being used: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).

The division of responsibilities varies based on the cloud service model:

  • IaaS: The CSP manages the basic infrastructure, but the customer is responsible for everything else, including operating systems, applications, and data.
  • PaaS: The CSP manages the infrastructure and platform, while the customer focuses on application development, data management, and user access.
  • SaaS: The CSP handles most security aspects, including applications and infrastructure, while the customer is primarily responsible for data security and user access management.

Understanding the shared responsibility model is crucial for ensuring that both the CSP and the customer are aware of their respective roles in maintaining cloud security, compliance and last but not the least managing risks in the cloud environment.

In summary, The shift to cloud computing is expected to influence over $1 trillion in IT spending over the next five years as companies increasingly adopt digital technologies to stay competitive. Despite the benefits of cloud computing—such as agility, scalability, cost savings, and enhanced security—many organizations face challenges, particularly around security concerns, which are a major barrier to cloud adoption. To navigate these challenges, businesses need to align their cloud strategies with their objectives, choosing between public, private, or hybrid cloud solutions. Additionally, implementing standards like ISO/IEC 27001, ISO/IEC 27017, and ISO/IEC 27018 can help manage cloud security and compliance effectively by providing frameworks for managing information security risks and ensuring data protection. Understanding the shared responsibility model is also crucial for cloud security, as it defines the distinct roles of cloud service providers and customers in maintaining a secure cloud environment.

Latest Cloud Security titles

Previous posts on Cloud Computing

ISO27701 – Privacy information management system

Check out these previous ISO27k posts

InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot

Tags: cloud computing benefits, Cloud computing frameworks, cloud computing security, cloud security, cloud security risks, Cloud shared responsibilities, isms, ISO27k, SoA