The importance of Statement of Applicability for ISO 27001
The importance of Statement of Applicability in ISO 27001 (sometimes referred to as SoA) is usually underrated – like the Quality Manual in ISO 9001, it is the central document that defines how you will implement a large part of your information security.
Actually, the Statement of Applicability (ISO 27001 Clause 6.1.3 d) is the main link between the risk assessment & treatment and the implementation of your information security – its purpose is to define which of the suggested 114 controls (security measures) from ISO 27001 Annex A you will apply, and for those that are applicable the way they will be implemented. As Annex A is considered to be comprehensive, but not exhaustive for all situations, nothing prevents you from also considering another source for the controls.
Why it is needed
Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons:
- First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased; however, in SoA you also identify the controls that are required because of other reasons – i.e. because of the law, contractual requirements, because of other processes, etc.
- Second, the Statement of Applicability justifies the inclusion and exclusion of controls from Annex A, and the inclusion of controls from another source.
- Third, the Risk Assessment Report could be quite lengthy – some organizations might identify a few thousand risks (sometimes even more), so such a document is not really useful for everyday operational use; on the other hand, the Statement of Applicability is rather short – it has a row for each control (114 from Annex A, plus the added ones), which makes it possible to present it to management and to keep it up-to-date.
- Fourth, and most important, SoA must document whether each applicable control is already implemented or not. Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g. either by making a reference to a document (policy/procedure/working instruction etc.), or by shortly describing the procedure in use, or equipment that is used.
Actually, if you go for the ISO 27001 certification, the certification auditor will take your Statement of Applicability and walk around your company checking out whether you have implemented your controls in the way you described them in your SoA. It is the central document for doing their on-site audit.
A very small number of companies realize that by writing a good Statement of Applicability you could decrease the number of other documents – for instance, if you want to document a certain control, but if the description of the procedure for that control would be rather short, you can describe it in the SoA. Therefore, you would avoid writing another document.
Why it is useful
In my experience, most companies implementing the information security management system according to ISO 27001 spend much more time writing this document than they anticipated. The reason for this is they have to think about how they will implement their controls: Are they going to buy new equipment? Or change the procedure? Or hire a new employee? These are quite important (and sometimes expensive) decisions, so it is not surprising that it takes quite a lot of time to reach them. The good thing about SoA is that it forces organizations to do this job in a systematic way.
Therefore, you shouldn’t consider this document as just one of those “overhead documents” that have no use in real life – think of it as the main statement where you define what you want to do with your information security. Written properly, SoA is a perfect overview (list, justification and description) of what needs to be done in information security, why it has to be done, and how it is done.
To learn how to write Statement of Applicability and other mandatory documents, check this free ISO 27001 Foundations Online Course.