Securing Info

The ISO 27001 standard is made up of a set of mandatory clauses and 133 controls. While compliance with all the clauses is required, it is not mandatory to adopt every single control.

Choosing applicable controls for your chosen scope should be carefully considered through your risk assessment, and be aligned to your overall security objectives, and contractual requirements.

In practice, you will probably find that the vast majority of the 133 controls are applicable to you as they are all common controls to information security threats – and will therefore be applicable in most organisations.

However, if you do decide to exclude a number of controls these can be justified though your Statement of Applicability (SOA), or have an entry within your risk assessment to demonstrate that you have formally considered the risks associated with not implementing a particular control. The external certification body will then judge whether these control exclusions are appropriate or not.

Officially, your Statement of Applicability is a public document which sits alongside your ISO27001 certificate, and should therefore be appropriate for external viewing. You might not wish to include sensitive information that you would not want to share with a third party. Some organisations produce a ‘Summary of Controls’, with less detail than their SOA, and use this as their public-facing evidence of the extent of their implementation of the standard.

Remember that the number of controls you adopt will give any interested parties a clue as to the risk appetite of the organisation and a measure of thoroughness of your Information Security Management System. As a guide, we advise our clients to ask for more details if a certified organisation offering their services has adopted less than 120 out of 133 controls.

Over time previously excluded controls may come into scope as your business evolves, new threats emerge, and senior management develop their understanding of the risks and release more resources for the management of these risks.