Embedded within CIMSNex is a highly advantageous component known as the "ISO 27001:2022 ANNEX-A Control Applicability Evaluation." This exceptional tool streamlines the comprehensive evaluation of the applicability of ISO 27001:2022 Annex-A Controls. Equipped with a range of functionalities, this feature simplifies the evaluation and assessment process. Users are tasked with completing and producing a statement of applicability for each of the 93 controls outlined in Annex-A. This is achieved by clicking the "Add" button and completing the requisite fields provided.
- ISO 27001:2022 Annex-A Controls: This column itemizes the Annex-A controls within ISO 27001:2022. Each control is identified, allowing for precise evaluation.
- Control Type: This indicates whether the control is preventive or detective.
- Justification Guide: Offers insights into the rationale behind each control's applicability status, ensuring informed decision-making. A guide to justify the applicability of the control to your organisation
- Implementation Guide: By selecting this link, users gain access to a detailed page expounding on specific clause requirements. This guide delves into comprehensive comprehension of what each clause expects.
- Documentation: This column provides transparency into the documentation imperative for compliance with the standard. It distinctly outlines essential documentation requirements aligned with specific clauses.
- Templates: Within this section, you'll discover an array of customizable templates available for download. These templates are meticulously designed to align seamlessly with clause requirements, enabling tailored adaptation to your organization's context.
- System Records: This column streamlines accessibility to system-generated reports pertinent to particular clauses. These reports effectively track compliance efforts.
When you click the ADD button, this feature facilitates a comprehensive evaluation of the applicability of ISO 27001:2022 Security Controls. Here's how this feature is structured:
-
Security Controls: Each ISO 27001:2022 Security Control, such as A.8.6 Capacity Management, is listed for evaluation.
-
SOA ID: A system-generated identification number is assigned to each control, ensuring organized tracking.
-
Review Date: The current date is automatically captured when conducting the assessment.
-
Review Purpose: Reason of the assessement. If you are reviwing the assessment for the first time, select Pre-Implementation, After implementation of the system, review to update the status of the statement by selecting Post-Implementation. Any other review assessment will be for the purpose of Management Review to to update the status of the ongoing implementation of the different components of the system.
-
Applicability: For each control, select "Applicable" or "Not Applicable" to signify whether the control is required or being implemented for your organization.
-
Justification: Provide a justification if the control is considered "Applicable" or "Not Applicable." Follow the guidance provided in the previous instructions to ensure a clear rationale.
-
Implementation Method: Describe how the applicable control is implemented within your organization. i.e. If the policy implemented as a single documented, part of another document, technological implementation or to be determined
-
Responsibility: Identifies the individual or team accountable for implementing the clause's requirement.
-
Implementation Status: A range of statuses indicating compliance levels (Lower to Higher):
-
"NOT IMPLEMENTED": The control has not been implemented, and there is no evidence of its existence within the organization.
-
"INITIAL/ ADHOC": The control is in its initial stages, implemented on an ad hoc basis with no formal processes or documentation.
-
"PARTIAL IMPLEMENTATION": Parts of the control have been implemented, but there are significant gaps or inconsistencies in its application across the organization.
-
"LARGELY IMPLEMENTED": The control is implemented in a majority of relevant areas, with consistent processes, documentation, and periodic reviews.
- "CONSISTENTLY IMPLEMENTED": The control is consistently/ uniformly applied across relevant areas of the organization, with defined processes and documentation.
-
"FULLY IMPLEMENTED": The control is fully implemented across the organization, with well-defined processes, thorough documentation, and continuous monitoring.
-
"OPTIMIZED/MATURE": The control is not only fully implemented but also optimized for efficiency and effectiveness. Continuous improvement practices are in place, and the control is regularly reviewed and updated.
-
"NOT APPLICABLE": Denotes clauses that are irrelevant or excluded from the organization's scope.
-
Additional Description: Offers an additional space for supplemental information.
-
Attachment: Enables the attachment of pertinent documents or references. This may include a customized template now finalized as a PDF document, such as a policy or procedure.
VIEW STATEMENT OF APPLICABILITY
To access the current Statement of Applicability, simply navigate to the "27001 Annex-A Assessment/SOA Report" option in the menu. Upon clicking, a report will be generated, presenting a comprehensive overview of the current status of each clause's implementation. From this report, users can review and update the status of implementation for individual clause requirements by selecting the "Review" button corresponding to the respective record. This enables users to efficiently manage and track the progress of clause implementation within their organization's framework.
VIEW KPI REPORT
As you complete and update the Statement of Applicability, the system automatically generates the KPI (Key Performance Indicator) and KRI (Key Risk Indicator) status report, indicating your current risk exposure based on the implementation status. In the generated report, the KPI and KRI statuses are color-coded as either Red or Orange. To access the KPI Report, simply navigate to the "27001 Annex-A Mapping/KPI Report" option in the menu.
When KPI and KRI statuses are coded as Red or Orange, it indicates that immediate action needs to be taken. This color-coded system provides a visual indication of areas where performance or risk levels are not meeting the desired thresholds or standards, prompting organizations to prioritize and address critical issues promptly.