The importance of the Statement of Applicability in ISO 27001 cannot be overstated. It is the central document that your certification auditors would use to walk through your Information Security Management System (ISMS) processes and controls.
So, if you are contemplating getting your organization ISO 27001 certified, this article is a must-read. Upon reading, you will understand what a Statement of Applicability (SOA) is, why it is critical in your certification process, and how to develop your SOA. Bonus: A downloadable SOA document template.
What is the ISO 27001 Statement of Applicability?
Statement of Applicability (SOA) is the document that lists all the ISO 27001 Annex A controls. It outlines whether each of the controls applies to your organization or not. The SOA also captures how the controls are implemented, and points to the relevant documentation on the implementation of each control. It must also include the controls that aren’t relevant to your organization and, therefore, were omitted from implementation. SOA should also list the reason(s) for their exclusion.
ISO 27001 Standard in Clause 6.1.3 states that the SOA must comprise:
- List of controls identified as a response to the identified risks
- An explanation for the choice of controls, how they have been implemented, and reasons for the omission of controls, where applicable)
The SOA must be reviewed and approved by the management or relevant authority in the organization. And given the details of an organization’s security controls, the SOA should be treated as a confidential document.
Who does ISO 27001 apply to?
Before we dig deeper into the SOA’s nuances, let’s quickly qualify to whom ISO 27001 applies.
ISO 27001 applies to any organization that wants to bolster its information security management practices, align them to global standards, and needs a third-party certification to demonstrate its improvized security posture. Did you know that ISO 27001 isn’t limited to specific organizations and sectors? Organizations of any size and sector can apply for ISO certification if they meet ISO 27001 requirements of the standard.
Which controls do you need to implement?
ISO 27001 lists the controls organizations must implement in Annex A. Its controls set comprises 114 controls that are categorized across 14 categories. Of these 114 controls, organizations must only implement the controls relevant to their risk assessment and risk treatment plan.
So, you will need to scour over the ISO 27001 controls list and sift out those that don’t apply to your organization. And as was mentioned earlier, list reasonable explanations for the omission of those controls in the SOA. For instance, controls related to physical security at the workplace wouldn’t be relevant to a remote organization, but those related to teleworking would be.
The SOA can also include the controls outside the purview of ISO 27001 but must be implemented in terms of legal, business or contractual requirements.
Why Is the Statement of Applicability ISO 27001 Important?
The Statement of Applicability is important since it lists out the controls that organizations implement to meet the ISO 27001 standard requirements. Here’s a look at some other reasons why SOA is important.
Is a Must-have Auditor Ask
SOA is a central piece in your ISO 27001 jigsaw and, therefore, is a must-have document for auditors during internal audits, certification audits, and subsequent surveillance audits. Auditors build on their understanding of an organization’s security posture and its ISMS using it.
Makes for a Quick & Comprehensive Overview of Controls
The SOA gives a quick and comprehensive overview of the controls an organization has implemented and how, as well as details the reasons for excluding controls, wherever applicable. While an organization’s ISO 27001 risk assessment and risk treatment plan too would cover these, and do so in much detail, the SAO makes for an easier and shorter read.
Allows for Traceability
The SOA shows the linkages between the controls of the ISO 27001 standard and its actual implementation in the organization. It also ensures organizations overlook no significant information security measures.
Acts as a Useful Reference Guide
It makes for a nifty reference guide for stakeholders (employees, customers, included) to understand how and why an organization treats its risks. It makes for a central document to refer to, understand and continually improve the ISMS.
Completing the Statement of Applicability ISO 27001 Template
Completing the Statement of Applicability is a time-consuming process. It requires you to understand your organization’s business operations and interests thoroughly. It can be pretty daunting, so come prepared.
But don’t be put off by it. Once done well, this exercise would be reviewed/updated only once a year and might not require major overhauls.
Here’s a five-step process on how to develop a Statement of Applicability in ISO 27001.
Step 1: Understand ISO 27001 requirements and the controls
To begin with, start with an understanding of the ISO 27001 requirements and ISO 27001 controls. Reading the controls list alongside ISO 27002 would help you understand the controls even better.
Step 2: Conduct Risk Assessment
Start with the inventory of your information assets, and list the information security risks that could compromise the confidentiality, integrity, and availability of any of these assets within the scope of your Information Security Management Systems, ISMS. After identifying and defining your risk universe, assess the risks by their likelihood of occurrence and potential impact. You can rank each risk on a scale of 1-10 (10 being the highest impact) or rank them Low-Medium-High.
Step 3: Complete the Risk Treatment Plan
The Risk Treatment Plan documents an organization’s response to the many identified threats, vulnerabilities, and risks in the risk assessment process. The risk treatment plan will detail the security control implemented in response to the identified risk. Some of the security controls you can deploy to treat risks are ISO 27001 security awareness training, access control, penetration test, and vendor risk assessments, among others.
The ISO 27001 standard lines up four possible risk treatment options.
This document is critical, and is looked at in great detail by the external auditor during the ISO 27001 certification audit and the subsequent periodical audits.
Step 4: Select the applicable ISO 27001 Controls
Based on the risk treatment plan and the specifics of the information security controls deployed, you can select the applicable controls.
Step 5: Prepare the Statement of Applicability
Here are some valuable tips to consider before you embark on the task:
- As a best practice, begin with an understanding of the ISMS scope and keep the list of information assets, risk assessments and risk treatment plan handy. The SOA should be prepared as a coherent extension of what’s already been documented in these processes.
- Have a copy of the ISO standard. Go through the controls listed in Annex A alongside ISO 27002, which complements your understanding of the controls by detailing the best practices for implementing ISO 27001 controls.
- Don’t take the task up in isolation. Involve HR, IT and other departments to help you through the process.
While many templatized versions of SOA are available, the easiest is to make your own on a spreadsheet. List all the controls on the spreadsheet, document if the control applies to your organization, the date it was last assessed, and if it’s not applicable, why. It’s a good practice to point to how the control is implemented through links to the details document for the relevant controls.
Download your ISO 27001 Statement of Applicability Template
It’s critical to periodically review the applicability of the controls and continually improve it based on observations made during internal audits, and certification audits.
Which version of the ISO 27001 Statement of Applicability is required?
Before we answer which version of the SOA is required, let’s quickly understand what’s changed.
What’s changed in ISO 27002?
The ISO 27002 up unit recently mirrored the controls list in Annex A of ISO 27001 and gave detailed guidance on implementing them. That’s now changed with ISO 27002:2022. While the intent remains to supplement ISO 27001 controls, the changes can be treated as a precursor to the changes that can be expected in the controls list too.
Here’s a snapshot of what’s changed:
Instead of the 14 categories earlier, the updated ISO 27002 has only four categories – Organizational, People, Physical, and Technological. Even though the number of controls has been reduced, no controls have been excluded.
- 35 controls remain the same but for a change in their control number and aligned to the four new categories
- 11 new controls were added
- 23 controls were renamed
- 57 controls were merged into 24 controls
What does it mean for your SOA?
ISO 27001 isn’t yet officially updated and published. Organizations can, nonetheless, leverage the published ISO 27002 standard and proactively adopt the new standard. This will require an updating of the SOA to address the additions and updates.
The changes, however, have yet to be incorporated officially. Even after they are formally implemented, there will be a transition period of three years for the currently certified companies.
How to Develop a Statement of Applicability in ISO 27001 with Sprinto
Good security practices require consistency throughout the year. They can’t yo-yo alongside your audit cycles. Sprinto can automate compliance for you such that you get the muscle to maintain a robust security posture always. Sprinto is built to add value and ease to your continuous monitoring practices and make your compliance experience fast and error-free.
While it isn’t impossible to make your SOA, it does demand a lot of time and attention to it. But when you work with Sprinto, you can get an integrated risk assessment with pre-mapped controls. What’s more, you get hands-on support from our in-house compliance experts in preparing your SOA at no additional costs of ISO 27001 Certification.
Talk to Sprinto today for a successful compliance journey with minimal effort from your teams.