All Episodes

October 4, 2025 17 mins
Provides comprehensive guidance on implementing the ISO/IEC 27001:2013 standard for information security management systems (ISMS). The text details requirements for risk assessment, risk treatment, and the creation of a Statement of Applicability (SOA), offering practical methodologies like the event-consequence approach and various control types. It also presents examples of documented information for processes and results, outlining how to define and apply a risk assessment and treatment process to ensure consistent, valid, and comparable outcomes. Furthermore, the source explores different layouts for the SOA and introduces an online "Assistant" tool to aid organizations in conforming to the standard. Ultimately, this publication serves as a practical guide for organizations seeking to achieve acceptable information security risks and comply with ISO/IEC 27001.

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cyber_security_summary

Get the Book now from Amazon:
https://www.amazon.com/ISO-IEC-27001-Assessment-Applicability/dp/B08TQ4T2Q6?&linkCode=ll1&tag=cvthunderx-20&linkId=a38f66b6ef06762b24f69cd281589136&language=en_US&ref_=as_li_ss_tl
Mark as Played
Transcript

Episode Transcript

Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Have you ever found yourself, you know, struggling with a
really complex industry standard. You see all the requirements the once,
but you just wish someone would clearly lay out the hows.

Speaker 2 (00:09):
Yeah, that's a common frustration, absolutely, and today that's exactly
what we're diving into information security and specifically how you
actually implement ISOIE two seven thousand and one point two
zero one.

Speaker 3 (00:22):
Team, the big standard for information and security management systems
or an isms.

Speaker 1 (00:27):
Right, it's the benchmark. It's comprehensive, really critical stuff, but
it often leaves people asking, Okay, great, but how do
we do this in practice?

Speaker 3 (00:35):
That is the key question, isn't it? ISOSO one two
seven zero one tells you what you need to do
perform risk assessments, produce that statement of applicability, But it's
not prescriptive on the how.

Speaker 1 (00:45):
It describes the destination, not the root precisely.

Speaker 3 (00:48):
And that's where our source for today comes in doctor
David Brewer's book. It's incredibly valuable because he offers this
really fine tune, actionable methodology. It fills in those practical gaps.

Speaker 1 (00:59):
Okay, So our mission today is to unpack doctor Brewer's
approach for you. We want to take what can feel
like a daunting list of rules and turn it into
a clear, confident way to manage your information security risks.

Speaker 3 (01:12):
So you walk away knowing the practical how to.

Speaker 1 (01:14):
Exactly ready to tackle this with real clarity. So let's
just ground ourselves again ISOIE twenty seven sous or one
point two zero one team. It's all about helping organizations
put controls in place to get information security risks down
to an acceptable level.

Speaker 3 (01:31):
Right. But the thing is every organization is different.

Speaker 1 (01:35):
Your business, your environment, the tech you use. It all
means your.

Speaker 3 (01:38):
Risks are unique, absolutely, and the standard reflects that. It
requires you to define your risk appetite basically, how much
risk are you okay with?

Speaker 1 (01:46):
That's your threshold exactly.

Speaker 3 (01:48):
Then you do a risk assessment to figure out which
risks go over that threshold. Then you start risk treatment,
applying controls to bring those.

Speaker 1 (01:55):
Risks down, and the end result of that is the
statement of applicability.

Speaker 3 (01:58):
The SOA at your documental list of controls, and doctor
Brewer's method gives you a really systematic way to get
through all that, offering practical steps where you know other
guidance might be a bit theoretical.

Speaker 1 (02:10):
Okay, But before we jump into the how of doctor
Brewer's method, let's just get really clear on what we
mean by risk here.

Speaker 3 (02:16):
Good idea doctor Brewer uses the definition from ISO thirty
one thousand. Risk is the effect of uncertainty on objectives.

Speaker 1 (02:24):
Uncertainty on objectives and effect here doesn't just mean bad stuff.

Speaker 3 (02:28):
Correct An effect is just a deviation from what you
expect to be positive, could be negative.

Speaker 1 (02:33):
Risk can have an upside, But for today, for ISO
twenty seven and thirty zero one, we're mostly focused on
managing the negative side.

Speaker 3 (02:40):
That's our focus here, Yes, managing those potential negative impacts,
which leads us nicely into doctor Brewer's preferred way to
do the risk assessment, the event consequence method. His approach
is also backed by ISO thirty one thousand and BS
seven seven ninety nine three point two zero one team,
and honestly, it's a big improvement over older ways of
doing things.

Speaker 1 (03:00):
A big improvement. You say, what was wrong with the
old asset threat vulnerability method that was common in say
the two thousand and five version of ISO twenty seven
thousand and one. What made this shift necessary?

Speaker 3 (03:12):
Well, it had some real drawbacks. For one, it really
struggled with things like zero day vulnerabilities.

Speaker 1 (03:18):
Because you wouldn't know the vulnerability existed yet exactly.

Speaker 3 (03:21):
The model kind of implied you needed to know the
vulnerability to assess the risk related to it, which isn't realistic.
It also tended to frame risk in very technical language,
making it.

Speaker 1 (03:31):
Hard for maybe senior management to connect.

Speaker 3 (03:34):
With precisely, hard to grasp the actual business impact sometimes,
and it could miss broader risks, societal things, operational issues
that didn't fit neatly into that ATV model. The event
consequence method is simpler. It focuses on things that can
actually happen, events and what the fallout would be, the consequences.
It's much more relatable, much more comprehensive for everyone involved.

Speaker 1 (03:55):
That makes a lot of sense. Accessibility is key. So
how does this event consequence method work? You at four steps?

Speaker 3 (04:01):
Yes, four steps, pretty straightforward. First, you identify risks. You
do this by pairing an event with its potential consequence.

Speaker 1 (04:08):
Okay, give us an example.

Speaker 3 (04:09):
Doctor Brewer uses this one. A laptop is stolen. That's
your event. The consequence undesirable disclosure of personally identifiable information PII.

Speaker 1 (04:18):
Okay, clear, event consequence, got it? What's step two?

Speaker 3 (04:22):
Step two, assess the severity of that consequence. Doctor Brewer
suggests using a monetary scale, but crucially a logarithmic one logarithmic.
Why logarithmic because it lets you handle a huge range
of impacts consistently. You could have a ten pound consequence
or one hundred million one. A log scale lets you
map both onto a single comparable scale. Value like ten

(04:45):
k might be a three to one million might be
a five. Even values in between like four point seven
for five hundred pounds are meaningful.

Speaker 1 (04:51):
Ah okay, So it compresses the range but keeps the
relative differences meaningful. It makes very different scales of impact
comparable exactly.

Speaker 3 (04:57):
It ensures you can properly compare and priority whether it's
a small hit or a catastrophe. Step three you assess
the likelihood of the event happening the full four row
frequency or likely?

Speaker 1 (05:06):
And is that logarithmic two?

Speaker 3 (05:07):
Yes, also a reciprocal time logerowidth mix scale. Think about it.
How else do you consistently compare something that might happen
once a century versus something happening I don't know, thousands
of times a second.

Speaker 1 (05:19):
Right, that's a vast difference.

Speaker 3 (05:21):
This scale gives you that range. Once a year might
be scale value two, every minute could be seven point eight.
It standardizes frequency assessment across wildly different scenarios.

Speaker 1 (05:32):
That standardization seems really powerful for making comparisons.

Speaker 3 (05:35):
It is, and it leads directly to step four to
termine the risk level. Because you're using log scales, you
don't actually multiply likelihood and severity in the usual sense.
You just add their scale values.

Speaker 1 (05:47):
Oh, a simple addition.

Speaker 3 (05:48):
Simple addition, a likelihood of three plus a consequence of
two equals a risk level of five. Super easy to
calculate and compare different risks across the board.

Speaker 1 (05:56):
Now, to make this really practical for you, doctor Brewer
doesn't leave it there. He actually identifies twelve standard events.
These aren't just abstract, they cover common, realistic scenarios.

Speaker 3 (06:07):
You need controls for things you're actually worry about, right.

Speaker 1 (06:11):
Like S one theft or loss of mobile devices. It's
a classic S nine hacking, obviously S three acts of God, vandals, terrorists,
and maybe S eight fraud or error. Things like that.

Speaker 3 (06:24):
And he even helps categorize how you determine likelihood. Category
are for random events you can't influence like acts of
God E where you have little influence but some experience
maybe like common malware, and O for opportunity dependent events like.

Speaker 1 (06:37):
How often a laptop actually leaves the building. That influence
is the likelihood of it being stolen outside exactly.

Speaker 3 (06:43):
It adds consistency to assessing likelihood and all this data.
These scales, they allow for what doctor Brewer calls risk squares.

Speaker 1 (06:50):
Risk squares like a graph Yeah, basically.

Speaker 3 (06:52):
A graphical way to plot your risks likelihood on one
access consequence on the other, both using those log scales.
This lets you visually represent that huge range we talked
about once a century to thousands of times a second,
ten pounds to one hundred million, all on one chart. Wow, okay,
And you get these lines of constant risk. You can
color code them green for acceptable, yellow for borderline, red

(07:12):
for unacceptable. It gives you this immediate visual snapshot of
your risk landscape. Very powerful for communication.

Speaker 1 (07:20):
That sounds incredibly useful, especially for talking to management and
throughout this whole assessment. You're not just getting numbers, you're
also identifying the risk owners.

Speaker 3 (07:29):
Right, absolutely critical. You need to know who has the
actual accountability and the authority to manage each specific risk.

Speaker 1 (07:36):
So if that risk happens, everyone knows who's responsible for
dealing with it. No confusion.

Speaker 3 (07:40):
Precisely, it assigns clear responsibility.

Speaker 1 (07:43):
Okay, so we've identified the risks, we've quantified them, we
know who owns them. Now we need to figure out
what to do about the unacceptable ones risk treatment. And
this is where doctor Brewer gets quite creative with his
tell it like a story method.

Speaker 3 (07:56):
Yes, it's a brilliant intuitive approach. The idea is, for
each of those twelve standard events, you imagine it like
a short movie playing out in three scenes. Yeah. Scene
one is preventative. What measures do you have to stop
the event from happening in the first place? Think strong building, security,
clear policies, good training.

Speaker 1 (08:17):
Okay, stop it before it starts.

Speaker 3 (08:19):
Scene two is detective. If prevention fails and the event
does happen, how do you detect it quickly? That's your alarms,
your monitoring systems, your audit logs catch it in the act.
And Scene three is reactive. Once you've detected it, what
do you do to limit the damage the consequences? Data backups,
encryption on stolen data, your incident response plan kicking.

Speaker 1 (08:41):
In prevent, detect, react.

Speaker 3 (08:43):
It's a sequence, it is, and this ties into something
doctor Brewer calls the time theory, which is I think
quite profound time theory.

Speaker 2 (08:50):
Yeah.

Speaker 3 (08:50):
It basically says that an effective control system is all
about time. It's about detecting opportunities for bad things or
the bad things themselves early enough to do something positive
about them. Okay, So preventive detective controls they operate before
the full impact. They give you a time window to
change a likelihood. Reactive controls they happen after detection to
lessen the severity.

Speaker 1 (09:11):
So it forces you to think about the timing of
your controls, not just whether you have them. That really
does shift the perspective.

Speaker 3 (09:18):
It does. It's about building resilience through timely intervention.

Speaker 1 (09:23):
Let's make that concrete with the stolen laptop story again
using this three scene approach. Okay, preventative might be say
a strict policy no company laptops leave the main office
period enforced at the door.

Speaker 3 (09:37):
Good preventive control.

Speaker 1 (09:39):
Detective could be maybe a GPS chip in the laptop
that sends an alert if it crosses a defined boundary,
a geofence.

Speaker 3 (09:46):
Quick detection if the prevented control fails or is it used.

Speaker 1 (09:49):
And react it well. That's things like having strong encryption
on the hard drive so the data is useless to
the thief, or having the ability to remotely wipe the
device once you confirm it's gone.

Speaker 3 (09:58):
Exactly you're writing script for how you'll handle that specific
event seen by scene.

Speaker 1 (10:02):
It makes it very practical.

Speaker 3 (10:04):
And he goes further categorizing how different controls behave within
these stories. There are in factor controls like passwords. Their
strength depends on how hard they are to guess. They
reduce likelihood by a factor of n. Then there's excess.
That's where we replace one consequence with a smaller one,
like insurance paying out after a theft. You still have
the disruption, maybe a deductible, but the main financial loss

(10:27):
is covered, right.

Speaker 1 (10:28):
You swap a big loss for a smaller, manageable one.

Speaker 3 (10:31):
And strangulation. This is where a control works fine up
to a point, but gets overwhelmed if the event happens
too often or too intensely. Think of one person trying
to handle a sudden flood of security alerts. They just
can't keep up. The control effectively fails.

Speaker 1 (10:47):
Understanding those failure points is crucial, so doctor Brewer calls
this storytelling the optimum approach.

Speaker 3 (10:54):
Yes, because you use it as a design tool. You're
proactively designing your response, constantly asking okay, but what if
this part fails, what's next?

Speaker 1 (11:02):
It sounds like it really builds security awareness across the
organization much better than just ticking boxes on a control list.

Speaker 3 (11:08):
Absolutely foster's genuine understanding of how security works in your context.
The goal is always that happy ending where the risk
left over after your story plays out, the residual risk
is actually acceptable to you.

Speaker 1 (11:19):
Okay, so you've done the assessment, You've designed your treatments
using these stories. How do you package all this up?
That brings us back to the statement of a peck
capability the SOA exactly.

Speaker 3 (11:28):
The SOA is the formal output. It's your comprehensive catalog,
your inventory of all your information security controls. It's a
mandatory document for ISO twenty seven thousand zero one.

Speaker 1 (11:40):
And what has to be in it.

Speaker 3 (11:41):
Several key things. All the necessary controls you decided you
needed based on your risk treatment stories. Okay, you need
justification for why you included each one. You need to
state clearly whether each control is actually implemented or not right.
Status is important, and crucially, if you decide not to
implement any of the controls listed in and of the standard,

(12:01):
you have to justify those exclusions too.

Speaker 1 (12:03):
Let's just quickly clarify ANXA for anyone who might not
live and breathe this stuff.

Speaker 3 (12:08):
Good point. ANNXA is basically ISO twenty seven thousand zero
one's big reference list of common security controls. Think of
it as a library of good practices, covering everything from
access control to cryptography to physical security.

Speaker 1 (12:22):
It's the standard's baseline checklist, right.

Speaker 3 (12:25):
It provides that common language a solid starting point, but
relying only on NXA has a weakness, which is, if
your risk assessment, your storytelling identifies a control you absolutely need,
but that control just doesn't happen to be an ANXA,
just comparing your list to ANNEXA won't tell you you're
missing something important from your own assessment.

Speaker 1 (12:45):
Ah. I see ANNXA is a reference, not the definitive
list of your necessary controls. So how does doctor Brewer
handle that potential gap?

Speaker 3 (12:54):
Through what he calls the cross checking process. It's vital
you take the necessary controls you identified yourself through your
event consequence analysis and storytelling.

Speaker 1 (13:03):
Your optimum approach.

Speaker 3 (13:04):
List exactly, and you compare that list against NXA. It's
not about replacing your list with ANXA. It's about validating
your list.

Speaker 1 (13:11):
Against NXA, like checking your work.

Speaker 3 (13:14):
Precisely a smart cross reference. And during this you might
find different types of controls. You'll have your necessary controls
that do map do NXA. Yeah, you might have custom
controls ones you need that just aren't in NXA at all.
You might find obviated controls. This is interesting. Say you
implement a really strong custom control, like completely banning removable media.

(13:35):
That custom control makes the standard ANXA control about managing
removable media unnecessary or obviated.

Speaker 1 (13:42):
Right, Your custom control super sees it exactly.

Speaker 3 (13:45):
And then you have variants which are just your specific
way of implementing a general ANXA control.

Speaker 1 (13:50):
That level of detail ensures a really accurate picture. And
I remember you mentioning. Doctor Brewer goes even further with
a reference control superset.

Speaker 3 (13:59):
Yes, this is really forward thinking. He doesn't just use
NXA as the reference. His superset includes controls from NXA,
but also anticipates controls likely to appear in future versions
of related standards, like ISO twenty seven thousand, and two,
and it fills in gaps he identified in the current standards,
especially around detective and reactive measures.

Speaker 1 (14:17):
So using his superset makes your ISMS more robust now
and potentially saves you work when the standards update later.

Speaker 3 (14:24):
That's the idea, better security for you now and less
rework down the line. And importantly, using these extra reference
controls doesn't add burden to your SOA documentation because you
only need to justify excluding controls that are actually in
the current NXA. Got it.

Speaker 1 (14:40):
So the SOA itself, how does it look? Does it
have to follow the NXA structure?

Speaker 3 (14:46):
Not necessarily it can. That's the traditional layout, but you
can also use a more modern layout, maybe grouping controls
by pillars like organizational people physical tech controls. The key
thing is clarity and accuracy because remember auditors, they view
your SOA not just annexday and isolation.

Speaker 1 (15:02):
The SOA is the real evidence of your system, it
really is.

Speaker 3 (15:05):
It's accuracy that justifications. That's what demonstrates your conformity.

Speaker 1 (15:09):
So you've built the system, you've documented it in the SOA.
What about keeping it alive? An ISMS isn't a one
time project.

Speaker 3 (15:16):
Right, absolutely not. It's a continuous cycle. Maintaining and improving
it is crucial.

Speaker 1 (15:20):
What does that involve?

Speaker 3 (15:21):
The standard requires regular reviews, scheduled reassessments of your risks.
But also you need to react quickly to significant.

Speaker 1 (15:28):
Changes like new tech, new services, maybe new regulation.

Speaker 3 (15:32):
Exactly anything that can materially change your risk landscape. And
there's a fascinating aspect here. The isms kind of has
a self healing.

Speaker 1 (15:41):
Property self healing how so well think about it.

Speaker 3 (15:44):
If a review shows changes are needed, maybe a control
isn't working, or risks have changed and you don't make
those necessary updates, that inaction itself creates a non conformity
against the standards requirement for maintenance and documented information being accurate.

Speaker 1 (15:58):
Ah, So estimate itself forces you to fix it to
stay compliant.

Speaker 3 (16:03):
Right. It pushes you to ensure your documented system always
reflects the reality on the ground. It's a built in
driver for keeping things up to date.

Speaker 1 (16:11):
And that ties back to doctor Brewer's approach being future proof.

Speaker 3 (16:14):
Yes, especially using his broader reference control superset. By thinking ahead,
anticipating changes, addressing gaps, now you're better prepared for when
ISOI E seven thousand zero one gets its next revision
it should mean less frantic scrambling for you later.

Speaker 1 (16:30):
You're building on a more solid, forward looking foundation.

Speaker 3 (16:34):
That's the goal.

Speaker 1 (16:34):
Okay, well, we have certainly taken a deep dive today.
We've unpacked isoie C twenty seven hours zero one, seeing
how doctor Brewer's methodology really tackles that how to problem
head on.

Speaker 3 (16:47):
From the event consequence method for risk assessment to that.

Speaker 1 (16:50):
Really intuitive tell it like a story approach for designing
risk treatments.

Speaker 3 (16:55):
And understanding how the SOA becomes your living blueprint for security.

Speaker 1 (16:59):
The takeaway for you listening is hopefully real clarity, an actionable,
structured way to get a better handle on your information security.

Speaker 3 (17:07):
Making it less daunting, more manageable.

Speaker 1 (17:09):
Definitely. And as we wrap up, maybe here's a thought
to leave you with, Building on that idea of proactive design.
As threats keep changing, how much is your organization really
thinking beyond just prevention?

Speaker 3 (17:21):
Yeah? Are you actively designing systems not just to block attacks,
but assuming some things might get through and focusing on
robust detection, swift reaction, effective response.

Speaker 1 (17:30):
It's that whole story. Prevent, detect, react, It's not just
about what you managed to stop, but how well prepared
you are to handle what you don't something to definitely
mull over. Thank you so much for joining us on
this deep dive today. Keep learning, keep questioning, and stay
proactive out there. We'll catch you next time.
Advertise With Us

Popular Podcasts

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.

24/7 News: The Latest

24/7 News: The Latest

The latest news in 4 minutes updated every hour, every day.

Dateline NBC

Dateline NBC

Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com

Music, radio and podcasts, all free. Listen online or download the iHeart App.

Connect

© 2025 iHeartMedia, Inc.