ISO 27001 Statement of Applicability (All you need to know)

The importance of the Statement of Applicability in ISO 27001 cannot be overstated. It is the central document that your certification auditors would use to walk through your Information Security Management System (ISMS) processes and controls.

So, if you are contemplating getting your organization ISO 27001 certified, this article is a must-read. Upon reading, you will understand what a Statement of Applicability (SOA) is, why it is critical in your certification process, and how to develop your SOA. Bonus: A downloadable SOA document template.

What is the ISO 27001 Statement of Applicability (SOA)?

A Statement of Applicability is a document required for ISO 27001 certification that lists all the ISO 27001 Annex A controls and indicates whether each of the controls applies to an organization or not.

The SOA also captures how the controls are implemented, and points to the relevant documentation on the implementation of each control. It must also include the controls that aren’t relevant to your organization and, therefore, were omitted from implementation. SOA should also list the reason(s) for their exclusion.

ISO 27001 Standard in Clause 6.1.3 states that the SOA must:

• List of controls identified as a response to the identified risks
• Explain the choice of controls, how they have been implemented, and reasons for the omission of controls, where applicable)

The SOA must be reviewed and approved by the management or relevant authority in the organization. And given the details of an organization’s security controls, the SOA should be treated as a confidential document.

Importance of Statement of Applicability to ISO 27001

The Statement of Applicability is important since it lists out the controls that organizations implement to meet the ISO 27001 standard requirements. Here’s a look at some other reasons why SOA is important.

Is a must-have auditor ask

SOA is a central piece in your ISO 27001 jigsaw and, therefore, is a must-have document for auditors during internal audits, certification audits, and subsequent surveillance audits. Auditors build on their understanding of an organization’s security posture and its ISMS using it.

Makes for a quick and comprehensive overview of controls

The SOA gives a quick and comprehensive overview of the controls an organization has implemented and how, as well as details the reasons for excluding controls, wherever applicable. While an organization’s ISO 27001 risk assessment and risk treatment plan too would cover these, and do so in much detail, the SAO makes for an easier and shorter read of the implementation status of the technical controls.

Allows for traceability

The SOA shows the linkages between the controls of the ISO 27001 standard and its actual implementation in the organization. It also ensures organizations overlook no significant information security measures.

Acts as a useful reference guide

It makes for a nifty reference guide for stakeholders (employees, customers, included) to understand how and why an organization treats its risks. It makes for a central document to refer to, understand and continually improve the ISMS.

Which ISO 27001 controls under SOA do you need to implement?

ISO 27001 lists the controls organizations must implement in Annex A. Its controls set comprises 114 controls categorized across 14 categories. Of these 114 controls, organizations must only implement the controls relevant to their risk assessment and risk treatment plan.

So, you will need to scour over the ISO 27001 controls list and sift out those that don’t apply to your organization. And as was mentioned earlier, list reasonable explanations for the omission of those controls in the SOA. For instance, controls related to physical security at the workplace wouldn’t be relevant to a remote organization, but those related to teleworking would be.

The SOA can also include controls outside the purview of ISO 27001 but must be implemented in terms of legal, business or contractual requirements.

How to create the ISO 27001 statement of applicability in 5 steps

Completing the Statement of Applicability is a time-consuming process. It requires you to understand your organization’s business operations and interests thoroughly. It can be pretty daunting, so come prepared.

But don’t be put off by it. Once done well, this exercise would be reviewed/updated only once a year and might not require major overhauls.

Here’s a five-step process on how to develop a Statement of Applicability in ISO 27001.

1. Understand ISO 27001 requirements and the controls

To begin with, start with an understanding of the ISO 27001 requirements and ISO 27001 controls. Reading the controls list alongside ISO 27002 would help you understand the controls even better.

2. Conduct risk assessment

Start with the inventory of your information assets, and list the information security risks that could compromise the confidentiality, integrity, and availability of any of these assets within the scope of your Information Security Management Systems, ISMS. After identifying and defining your risk universe, assess the risks by their likelihood of occurrence and potential impact. You can rank each risk on a scale of 1-10 (10 being the highest impact) or rank them Low-Medium-High.

3. Complete the risk treatment plan

The Risk Treatment Plan documents an organization’s response to the many identified threats, vulnerabilities, and risks in the risk assessment process. The risk treatment plan will detail the security control implemented in response to the identified risk. Some of the security controls you can deploy to treat risks are ISO 27001 security awareness training, access control, penetration test, and vendor risk assessments, among others.

The ISO 27001 standard lines up four possible risk treatment options.

This document is critical, and is looked at in great detail by the external auditor during the ISO 27001 certification audit and the subsequent periodical audits.

4. Select the applicable ISO 27001 Controls

Based on the risk treatment plan and the specifics of the information security controls deployed, you can select the applicable controls.

You can evaluate the risks by breaking it down using the CIA triad (confidentiality, integrity, and availability). Doing so shows your commitment to a holistic SOA approach that does not just focus on just getting compliant, but actually prioritizing security.

5. Prepare the Statement of Applicability

Here are some valuable tips to consider before you embark on the task:

• As a best practice, begin with an understanding of the ISMS scope and keep the list of information assets, risk assessments and risk treatment plan handy. The SOA should be prepared as a coherent extension of what’s already been documented in these processes.
• Have a copy of the ISO standard. Go through the controls listed in Annex A alongside ISO 27002, which complements your understanding of the controls by detailing the best practices for implementing ISO 27001 controls.
• Don’t take the task up in isolation. Involve HR, IT and other departments to help you through the process.

Sprinto is equipped with a toolkit to build an integrated pipeline of ISO 27001 controls and automated checks to ensure an ISMS. Manage your end to end compliance processes by effortlessly gathering evidence in an auditor-approved way towards ISO 27001 audit and certification without compromising speed or budget. Learn more. 

While many templatized versions of SOA are available, the easiest is to make your own on a spreadsheet. List all the controls on the spreadsheet, document if the control applies to your organization, the date of the last assessment, and if it’s not applicable, why. It’s a good practice to point to how the control is implemented through links to the details document for the relevant controls.

It’s critical to periodically review the applicability of the controls and continually improve it based on observations made during internal audits, and certification audits.

Traditionally, organizations, especially the smaller and inexperienced ones use semi-manual tools like Excel sheets, calculators, and documentation systems. Using these tools for planning, documenting, and implementing activities around risks, assets, and controls is easier said than done. More often than not, this spirals out of control and eats up engineering bandwidth.

Automating the process to manage deviations and prevent stop-gap efforts. See how Sprinto can help.

Which version of the ISO 27001 Statement of Applicability is required?

Before we answer that, let’s quickly understand the changes.

What’s changed in ISO 27002?

The ISO 27002 up unit recently mirrored the controls list in Annex A of ISO 27001 and gave detailed guidance on implementing them. That’s now changed with ISO 27002:2022. While the intent remains to supplement ISO 27001 controls, the changes can be treated as a precursor to the changes that can be expected in the controls list too.

Here’s a snapshot of what’s changed:

Instead of the 14 categories earlier, the updated ISO 27002 has only four categories – Organizational, People, Physical, and Technological. Even though the number of controls has been reduced, no controls have been excluded.

• 35 controls remain the same but for a change in their control number and aligned to the four new categories
• 11 new controls
• 23 controls renamed 
• 57 controls merged into 24 controls

What does it mean for your SOA?

ISO 27001 isn’t yet officially updated and published. Organizations can, nonetheless, leverage the published ISO 27002 standard and proactively adopt the new standard. This will require an updating of the SOA to address the additions and updates. 

The changes, however, have yet to be incorporated officially. After fromal implemention, there will be a transition period of three years for the currently certified companies. 

Develop an ISO 27001 Statement of Applicability (SOA) with Sprinto

Good security practices require consistency throughout the year. They can’t yo-yo alongside your audit cycles. Sprinto can automate compliance for you such that you get the muscle to maintain a robust security posture always. Sprinto adds value and ease to your continuous monitoring practices and makes your compliance experience fast and error-free.

While it isn’t impossible to make your SOA, it does demand a lot of time and attention to it. But when you work with Sprinto, you can get an integrated risk assessment with pre-mapped controls. What’s more, you get hands-on support from our in-house compliance experts in preparing your SOA at no additional costs of ISO 27001 Certification.

Talk to Sprinto today for a successful compliance journey with minimal effort from your teams.

FAQ

What is the statement of applicability of ISO 27001 2013?

A Statement of Applicability is a document essential for ISO 27001 certification. It’s a report that states the Annex A controls as well as the Annex A controls that were excluded that your organization determined to be necessary for mitigating information security risk.

What is the statement of the applicability list of the ISO 27001?

The Statement of Applicability (SoA) defines the list of information security controls that your organization is implementing, taken directly from ISO 27001 Annex A, which is also a standard referred to as ISO 27002.

What documents are required by the certification bodies for ISO 27001 SOA?

The internal documents of your ISO 27001 SOA are your information security policy, risk assessment report, version control records, ISMS scope, and evidence of control implementation. 

What is the difference between ISO 27001 SoA and a scope? 

The ISO 27001 Statement of Applicability identifies security controls applicable to an organization’s ISMS, while the scope defines its boundaries and specifies what information assets and business processes are covered by the certification.