ISO/IEC 27001:2013 is the requirements specification standard for an information security management system, or ISMS for short. There are requirements for performing information security risk assessments, risk treatments, and for producing a “Statement of Applicability”. Reputedly, some organisations have found difficulty with these requirements because they state what must be done, not how to do it.There are standards in the ISO/IEC 27xxx series that offer guidance on how to fulfil the requirements of ISO/IEC 27001. These are descriptive in nature. They describe how organisations could perform risk assessments and offer advice on how to construct a Statement of Applicability (SOA). However, they are lacking in worked examples.Having assisted many organisations to achieve ISO/IEC 27001 certification, I have developed and fine-tuned a methodology for fulfilling these requirements. This methodology is embodied in the IMS-Smart On-Line technology. Its approach to risk assessment uses events and consequences as advocated in ISO 31000:2018 (Risk management – Guidelines) and BS 7799-3:2017 (Guidelines for information security risk management). IMS-Smart defines twelve events and invites the organisations that use the technology to devise tell-it-like-a-story risk treatment plans for each event to determine the necessary information security controls. Organisations are then invited to link phrases in the story text to the ISO/IEC 27001 reference controls, which in turn assists them to produce the SOA.This book recasts the IMS-Smart methodology as a series of questions, the answers to which will construct the risk assessment, the twelve risk treatment plans and the produce the SOA. The recasting results in an evolution of the IMS-Smart methodology. There is also some supporting technology that automatically transforms the answers to the questions into the documented information required by ISO/IEC 27001 for the organisations risk assessment/treatment results and its SOA.The questions fall into two broad categories: those concerning risk and those concerning controls. The control questions are derived from a superset of the ISO/IEC 27001 Annex A controls and those which are likely to appear in the new edition of ISO/IEC 27002, and thereby offers greater value to organisations for ensuring that no necessary control has been inadvertently overlooked.
