In ISO 27001, a Statement of Applicability (SoA) is a crucial document that outlines which controls from the standard's Annex A are applicable to the organisation and how they are managed. Below is a breakdown of its key components.
- Control Selection: The SoA lists all the controls from Annex A of ISO 27001 and specifies which ones are applicable to the organization. These controls address various aspects of information security, such as access control, risk management, and incident response.
- Justification: For each control, the SoA provides a justification for its inclusion or exclusion. This explanation helps to clarify why certain controls are relevant or not to the organisation's specific context, taking into account factors such as the organisation's risk assessment and information security needs.
For example: If you are a cloud based organisation who doesn’t have a physical office, then you might deem the physical security controls of Annex A as not applicable in your Statement of Applicability!
- Implementation Status: The document also details the current status of each control, including whether it is implemented, in progress, or not yet implemented. This helps in tracking the organisation's progress in meeting its information security objectives.
- Control Objectives: The SoA outlines how each control supports the organization's information security objectives and ensures compliance with the ISO 27001 standard.
- Links to Policies and Procedures: It often references related policies, procedures, and other documentation that support the implementation and management of the controls.
Overall, the Statement of Applicability serves as a key reference point for ensuring that an organisation's information security management system (ISMS) is aligned with ISO 27001 requirements and is tailored to its specific risks and needs.
Still not sure what a Statement of Applicability should look like? Below is a screenshot showing a standard SoA - it’s not too dissimilar to a risk register!
