journal header

Volume 3, 2017

This Week's Online-Exclusive Feature

The Benefits of the Statement of Applicability in ISMS Projects
24 May 2017
Jayakumar Sundaram, CISA, ISO 27001 LA

The statement of applicability (SoA) is the main link between risk assessment and risk treatment in an enterprise or in an organization within an enterprise and, therefore, is a requirement for information security management system (ISMS) implementations. The SoA is a continuously updated and controlled document that provides an overview of information security implementation.

ISO 27001:2013 includes a documented statement (the SoA) with 35 control objectives and 114 comprehensive controls to implement in an organizational ISMS. The SoA should provide a reason for including or excluding any of the SoA controls in the ISMS. Some organizations may not require all controls listed under the SoA. For example, an organization that does not allow staff to work remotely does not need to implement telecommuting-related controls. Read More >>

Indicates Online-Exclusive Content



Podcast  New!
ISACA Journal Volume 1 Podcast

The Automation Conundrum

This Week's Featured Blog

Securing Connected Devices
15 May 2017
Hemant Patel, CISM, ITIL, PMP, TOGAF

Some Internet of Things (IoT) security issues and incidents can be attributed to poor knowledge, failure of the security manager to properly educate stakeholders or lack of stakeholder interest in investing in security measures. Some of this hesitance to invest in security comes from the desire to defer upfront or preventive security costs to operational or reactive costs. The cost deferment can be due to the lack of a proper risk model and failing to account for risk costs. In some situations, time pressures may also aid in deferring upfront security measures.

About 5 years ago, I started managing automobile sensors’ data integration architecture, and the term “IoT” was not even used at that time. Read More >>

Indicates Online-Exclusive Content



What's New for Nonmembers

IS Audit Basics Articles

Data Management Body of Knowledge—A Summary for Auditors

Risk-based Audit Planning for Beginners

The Auditors, IS/IT Policies and Compliance

Preparing for Auditing New Risk, Part 2

Preparing for Auditing New Risk, Part 1

The Soft Skills Challenge, Part 6


Full Journal Issues

Volume 3, 2016 Data Privacy

Volume 2, 2016 Project Management: Methodologies and Associated Risk

Volume 1, 2016 Transforming the Auditor

Volume 6, 2015 The Internet of Things

Volume 5, 2015 Cybersecurity

Volume 4, 2015 Regulations & Compliance