Documentation is a crucial part of any ISO 27001 implementation project, and one of the most important documents you need to complete is the SoA (Statement of Applicability).
In this blog, we explain what an SoA is, why it’s important and how to produce one.
What is a Statement of Applicability?
An SoA summarises your organisation’s position on each of the 114 information security controls outlined in Annex A of ISO 27001.
Clause 6.1.3 of the Standard states an SoA must:
- Identify which controls an organisation has selected to tackle identified risks;
- Explain why these have been selected;
- State whether or not the organisation has implemented the controls; and
- Explain why any controls have been omitted.
Every control should have its own entry, and in cases where the control has been selected, the SoA should link to relevant documentation about its implementation.
Which controls do you need to implement?
Organisations are only required to implement controls that are appropriate to the risks they face. They should determine which controls apply to them by conducting an ISO 27001 gap analysis and risk assessment. These processes help organisations identify the risks they face, which they can match to the relevant control.
Annex A provides a useful outline of each control, but you’ll probably need something more in-depth when it comes to the implementation process. That’s where ISO 27002 comes in. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.
ISO 27002 provides detailed information on each control, explaining how each one works and providing advice on how to implement it.
You’ll therefore benefit from having copies of both standards when creating your SoA.
Why is the Statement of Applicability important?
The SoA is a useful document for everyday operational use, because it provides comprehensive coverage of your organisation’s information security measures.
You can refer to it to understand how and why your organisation is tackling certain risks and accepting others.
This is especially important when ensuring continual improvement within your organisation. You can assess whether the controls you’ve implemented are working as intended and assess whether other controls might be more suitable.
Likewise, you can review why you chose to accept risks and determine whether the threat landscape has increased significantly enough to warrant a change.
An SoA also has significant regulatory consequences. If you are investigated for a data breach, you can use your SoA to justify your information security controls and prove that your defences were implemented in line with an ISO 27001-compliant risk assessment.
Looking for help with you ISO 27001 risk assessment process? Take a look at vsRisk Cloud, the online version of our simple risk assessment tool.
With vsRisk Cloud, you’ll get repeatable, consistent assessments year after year. Its integrated risk, vulnerability and threat database eliminates the need to compile a list of risks, and the built-in controls helps you comply with multiple frameworks, including the GDPR (General Data Protection Regulation).
How to save time writing your Statement of Applicability
Developing an SoA can be daunting, but there are tools that can help, such as those contained in our ISO 27001 ISMS Documentation Toolkit.
Our Documentation Toolkit includes an SoA template to accelerate your documentation process.
The toolkit includes:
- A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
- Simple dashboards and gap analysis tools to ensure complete coverage of the Standard; and
- Direction and guidance from expert ISO 27001 practitioners.
A version of this blog was originally published on 9 November 2017.