What is the ISO 27001 Statement of Applicability
The Statement of Applicability (SoA) is referred to in ISO 27001 Clause 6.1.3 d and is the central document that defines how you will implement a large part of your information security.
It is the link between the risk assessment and how risk treatment is implemented in your information security management system. Its purpose is to define which of the 114 suggested security controls from ISO 27001 Annex A you will apply. And for the ones that are applicable, how they will be implemented. It is worth noting that Annex A is considered to be comprehensive but not exhaustive for all circumstances so you may wish to consider other sources for appropriate controls.
Why is the SoA Needed
We are sometimes asked by clients why the SoA is necessary when they have already produced a Risk Assessment Report and which defines required controls?
During risk treatment, you identify the controls that are necessary to address the identified risks that need to be decreased. However, in the SoA you also identify the controls that are required for other reasons, like laws, regulations and contractual requirements. Also, the SoA justifies the inclusion and exclusion of controls from Annex A, and the inclusion of controls from another source.
Sometimes, depending on the method used, the Risk Assessment Report can be lengthy. Some large organisations might identify hundreds or thousands of security risks, so can be quite cumbersome. Conversely, the SoA is relatively short and, typically, has a row for each control (114 from Annex A), which makes it simpler to present it to management and other stakeholders and also to keep it updated.
It is important that the SoA should document whether each applicable control has been implemented or not. It is good practice to briefly describe how each applicable control is implemented – e.g. either by making a reference to a document (policy/procedure/working instruction etc.), or by describing a technical solution or procedure.
If you decide to go ISO 27001 certification with a UKAS accredited body, the certification auditor may use your Statement of Applicability as a checklist of controls to be audited and may look into whether or not you have implemented the controls in the way you described them.
By writing a good Statement of Applicability you may be able to decrease the number of other documents in you Information Security Management System. For example, if you want to document a certain control, but the description of the procedure is small or informal and would not warrant a separate procedure, you could describe it in the SoA.
How is the SoA Useful
In our experience, many companies implementing an Information Security Management System according to ISO 27001 spend much more time writing this document than they anticipated. One of the reasons for this is that they have to think about how they will implement each of their controls: Do they need new equipment, to change the procedure or hire a new employee? These can be important and, potentially, expensive decisions, hence the time taken to reach them. So, the main benefit of the SoA is that it forces organisations to assess security controls in a systematic way.
In summary, you shouldn’t consider the SoA as just another “overhead document” with no practical use. Think of it as where you define what you want to do with your information security. Written well, the SoA is a perfect overview, with justification and description, of what needs to be done with respect to information security.
If you found this article useful, you may like:-
ISO 27001 Implementation Guide – No Sales Pitch
Security Gap Analysis
Implementing ISO 27001 – 3 Basic Approaches
Other ISO 27001 Articles