The importance of Statement of Applicability in ISO 27001 (sometimes referred to as SoA) is usually underrated – like the Quality Manual in ISO 9001, it is the central document that defines how you will implement a large part of your information security.
Actually, the Statement of Applicability (ISO 27001 Clause 6.1.3 d) is the main link between the risk assessment & treatment and the implementation of your information security – its purpose is to present a comprehensive view on how information security is implemented in the organization.
- definition of which controls (security measures) will be applied, covering the suggested controls from ISO 27001 Annex A
- justification for inclusion of controls that are applicable
- the implementation status of applicable controls (i.e., if they are implemented or not)
- justification for the exclusion of controls from Annex A that are not applicable
ISO 27001 Statement of Applicability – Why it is needed
Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons:
- First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased; however, in SoA you also identify the controls that are required because of other reasons – i.e., because of the law, contractual requirements, because of other processes, etc.
- Second, the ISO 27001 Statement of Applicability justifies the inclusion and exclusion of controls from Annex A, and the inclusion of controls from another source.
- Third, the Risk Assessment Report could be quite lengthy – some organizations might identify a few thousand risks (sometimes even more), so such a document is not really useful for everyday operational use; on the other hand, the Statement of Applicability is rather short – it has a row for each control (controls from Annex A, plus the added ones), which makes it possible to present it to management and to keep it up-to-date.
- Fourth, and most important, SoA documents the implementation status of proposed controls. Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g., either by making a reference to a document (policy/procedure/working instruction etc.), or by shortly describing the procedure in use, or equipment that is used.
What are the mandatory elements of the SoA?
According to the standard, these are the requirements from clause 6.1.3 d) to be fulfilled by a Statement of Applicability document:
- definition of which controls (security measures) will be applied, covering the suggested controls from ISO 27001 Annex A and potentially those from other sources
- justification for inclusion of controls that are applicable
- the implementation status of applicable controls (i.e., if they are implemented or not)
- justification for the exclusion of controls from Annex A that are not applicable
Please note that Annex A is considered to be comprehensive, but not exhaustive for all situations. That’s why organizations can also consider other sources for the controls (e.g., NIST special publications, ENISA guidelines, etc.).
The SoA document has a central role during the audit
Actually, if you go for the ISO 27001 certification, the certification auditor will take your Statement of Applicability and walk around your company checking out whether you have implemented your controls in the way you described them in your SoA. It is the central document for doing their on-site audit.
A very small number of companies realize that by writing a good ISO 27001 Statement of Applicability you could decrease the number of other documents – for instance, if you want to document a certain control, but if the description of the procedure for that control would be rather short, you can describe it in the SoA documents. Therefore, you would avoid writing another document.
Statement of Applicability – Why it is useful
In my experience, most companies implementing the information security management system according to ISO 27001 spend much more time writing this document than they anticipated. The reason for this is they have to think about how they will implement their controls: Are they going to buy new equipment? Or change the procedure? Or hire a new employee? These are quite important (and sometimes expensive) decisions, so it is not surprising that it takes quite a lot of time to reach them. The good thing about SoA is that it forces organizations to do this job in a systematic way.
Therefore, you shouldn’t consider this document as just one of those “overhead documents” that have no use in real life – think of it as the main statement where you define what you want to do with your information security. Written properly, SoA is a perfect overview (list, justification and description) of what needs to be done in information security, why it has to be done, and how it is done.
To learn more about the Statement of Applicability according to ISO 27001, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.