Unnecessary controls

With an ISO/IEC 27001 Information Security Management System, the choice of information security controls is almost* entirely a matter for the organisation's management, according to their assessment of the organisation's information risks. 

The overall information risk management process is straightforward:

1. Identify risks affecting the organisation's information.
   
   
2. Explore the risks, quantifying them in some way.
   
   
3. Decide what, if anything to do about the risks (avoid, mitigate, share or accept).
   
   
4. Do it!
   
   
5. Monitor for and deal with changes to the risks, their evaluation and treatment etc. 
   

The information security controls listed in Annex A of ISO/IEC 27001 are reminders of the sorts of controls commonly employed and worth considering, in general, for most organisations. They are NOT mandatory. Management has the discretion to:

• Select Annex A controls that they feel are 'necessary' to mitigate unacceptable information risks;
  
  
• Select controls from any other source that they feel are 'necessary' to mitigate unacceptable information risks;
  
  
• Modify, adapt, customise, simplify or elaborate on the controls from Annex A or from any other source in order to mitigate unacceptable information risks;
  
  
• Invent/create novel controls in order to mitigate unacceptable information risks;
  
  
• Combine, layer, strengthen or bolster information security controls from Annex A or from any other source in order to reduce significant unacceptable information risks even further e.g. using combinations of preventive, detective and corrective controls of various kinds to protect essential/core business activities that must be highly resilient;
  
  
• Treat unacceptable information risks by avoiding or sharing them;
  
  
• Accept information risks, consciously and deliberately (e.g. totally ignoring the possibility of alien invasion, temporarily accepting the risk of quantum computing rendering cryptographic algorithms obsolete).

Finally, management essentially has no option but to accept various residual information risks, despite all the other risk treatments including the ISMS as whole, such as those that were:

• Not even identified as such in the first place - the blind-siders;
  
  
• Inaccurately evaluated and quantified (e.g. different probabilities and/or impacts);
  
  
• Insufficiently or inappropriately mitigated (e.g. when information security controls are poorly designed, implemented, operated and maintained, weakening them perhaps to the point that they fail completely in service);
  
  
• Fine at the time of analysis and implementation, but are no longer appropriate for various reasons;
  
  
• Risks relating to the controls themselves (e.g. excessively strict access controls or onerous authorisation processes may reduce the timely availability of information for legitimate business activities).

Having done all that, compiling the ISMS Statement of Applicability is 'simply' a matter of following the instructions in ISO/IEC 27001 clause 6.1.3(d) to record management's justifications and decisions concerning which controls are necessary, whether they are implemented or not, plus why any of the Annex A controls were excluded (perhaps a blanket statement: "Various Annex A controls were excluded because they are not necessary to mitigate unacceptable information risks").

---------------

An example illustrates this.

-------------- 

* I say 'almost' because management has little to no choice in respect of: 

• A handful of specific information security controls mandated by the main body clauses of ISO/IEC 27001 to mitigate risks to the ISMS itself e.g.:
• 'Documented information' stabilises and formalises the information and makes it more amenable to review.
• Governance arrangements for the ISMS reduce the risks relating to inappropriate direction and control of the ISMS, conflicts of interest and lack of involvement/indecision by management etc.
• Assurance measures such as ISMS internal audits and management reviews help ensure management is aware of any issues or failings in the ISMS, as well as suggesting improvement opportunities;
  
  
• Further information security controls associated with conformance assessment and certification of ISMSs (e.g. the accreditation of certification bodies, and the certification process, are assurance measures);
  
  
• Information security controls imposed upon the organisation by the authorities through applicable laws and regulations (e.g. for privacy, to protect important financial and other corporate records, plus copyright and other intellectual property rules);
  
  
• Further information security controls required under contracts and agreements that the organisation enters into for business reasons (e.g. PCI DSS, Non Disclosure Agreements with business partners, various controls associated with professional services).