In information security, the statement of applicability (SoA) is more than just a checklist. It’s a strategic document that showcases how an organisation addresses its unique information security risks through targeted controls. For businesses implementing an information security management system (ISMS), the SoA is a cornerstone, particularly when aligning with the internationally recognised ISO/IEC 27001 standard.
What is the statement of applicability?
The statement of applicability is a mandatory document under ISO/IEC 27001 summarising the organisation’s chosen security controls. It provides a clear rationale for why certain controls are included or excluded, offering a transparent view of how the business mitigates identified information security risks.
Why is the SoA essential?
- Compliance evidence: The SoA proves to auditors and stakeholders that your organisation has systematically reviewed and applied the controls outlined in ISO/IEC 27001 Annex A.
- Risk management: By mapping specific risks to selected controls, the SoA ensures an effective approach to risk mitigation.
- Stakeholder confidence: A detailed SoA provides assurance to clients, regulators, and partners that information security risks are effectively managed.
- Implementation roadmap: It acts as a blueprint for applying, monitoring, and continuously improving security controls.
Anatomy of a statement of applicability
An effective SoA contains the following elements:
Control list
Includes all 114 controls from Annex A, grouped into 14 domains such as access control, cryptography, and incident management.
Applicability
Each control is marked as applicable or not. For applicable controls, the SoA specifies their implementation status.
Justifications
Detailed explanations for including or excluding controls, based on the organisation’s risk assessment.
References
Links to policies, procedures, and risk treatment plans that support the controls.
Version history
Ensures changes over time are tracked as risks evolve.
Steps to create a statement of applicability
- Conduct a risk assessment: Identify potential threats and vulnerabilities to your information assets.
- Select controls: Choose applicable controls from Annex A or other frameworks to mitigate risks.
- Draft the SoA: Document all controls, their applicability, and justifications.
- Review and approve: Engage senior management to validate the SoA and ensure it aligns with organisational goals.
- Maintain and update: Regularly review the SoA to reflect changes in the business environment or regulatory landscape.
Common challenges
Creating an SoA can be challenging. Some pitfalls include:
- Misjudging control relevance: Failing to correctly assess which controls are necessary.
- Inadequate justifications: Providing vague or incomplete reasons for control selection.
- Neglecting updates: Allowing the SoA to become outdated, leading to compliance gaps.
Example statement of applicability format
Control | Applicable? (Y/N) | Justification | Implementation status | Reference |
---|---|---|---|---|
A.5.1 Information security policies | Yes | Necessary to set a framework for ISMS | Fully implemented | Information security policy v1.2 |
A.10.1 Cryptographic controls | Yes | Protect sensitive data during storage and transmission | Partially implemented | Cryptography policy v3.0 |
A.13.2 Communications security | No | Organisation does not use public networks | N/A |
Why the SoA matters for certification
During ISO/IEC 27001 certification audits, the SoA is scrutinised to ensure:
- Completeness: All 114 controls are addressed.
- Consistency: The SoA aligns with the risk assessment and ISMS documentation.
- Implementation evidence: Applied controls are operational and effective.
The SoA is not just about compliance; it’s a demonstration of your organisation’s commitment to robust information security.
How ITLawCo can help
Crafting a fit-for-purpose and effective statement of applicability requires a nuanced understanding of both technical and regulatory requirements. At ITLawCo, we specialise in helping organisations navigate the complexities of ISO/IEC 27001 compliance.
Our services include:
- ISMS development: Building robust systems tailored to your organisation’s unique risks.
- Risk assessment and control selection: Ensuring the right controls are applied to mitigate identified risks.
- SoA drafting and maintenance: Creating clear, auditor-ready documents that align with ISO/IEC 27001 requirements.
- Training and support: Empowering your team with the knowledge to manage and improve your ISMS.
With ITLawCo, your organisation can confidently demonstrate its commitment to information security and achieve ISO/IEC 27001 certification with ease.
Ready to elevate your ISMS? Contact us today to learn how we can support your journey.