Show me desktop version

ISO 27001/ISO 22301 Knowledge base

The importance of Statement of Applicability for ISO 27001

Author: Dejan Kosutic

The importance of Statement of Applicability (sometimes referred to as SoA) is usually underrated – like the Quality Manual in ISO 9001, it is the central document that defines how you will implement a large part of your information security.

Actually, the Statement of Applicability (ISO 27001 Clause 6.1.3 d) is the main link between the risk assessment & treatment and the implementation of your information security – its purpose is to define which of the suggested 114 controls (security measures) from ISO 27001 Annex A you will apply, and for those that are applicable the way they will be implemented. As Annex A is considered to be comprehensive, but not exhaustive for all situations, nothing prevents you from also considering another source for the controls.

Why it is needed

Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons:

  • First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased; however, in SoA you also identify the controls that are required because of other reasons – i.e. because of the law, contractual requirements, because of other processes, etc.
  • Second, the Statement of Applicability justifies the inclusion and exclusion of controls from Annex A, and the inclusion of controls from another source.
  • Third, the Risk Assessment Report could be quite lengthy – some organizations might identify a few thousand risks (sometimes even more), so such a document is not really useful for everyday operational use; on the other hand, the Statement of Applicability is rather short – it has a row for each control (114 from Annex A, plus the added ones), which makes it possible to present it to management and to keep it up-to-date.
  • Fourth, and most important, SoA must document whether each applicable control is already implemented or not. Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g. either by making a reference to a document (policy/procedure/working instruction etc.), or by shortly describing the procedure in use, or equipment that is used.

Actually, if you go for the ISO 27001 certification, the certification auditor will take your Statement of Applicability and walk around your company checking out whether you have implemented your controls in the way you described them in your SoA. It is the central document for doing their on-site audit.

A very small number of companies realize that by writing a good Statement of Applicability you could decrease the number of other documents – for instance, if you want to document a certain control, but if the description of the procedure for that control would be rather short, you can describe it in the SoA. Therefore, you would avoid writing another document.

Why it is useful

In my experience, most companies implementing the information security management system according to ISO 27001 spend much more time writing this document than they anticipated. The reason for this is they have to think about how they will implement their controls: Are they going to buy new equipment? Or change the procedure? Or hire a new employee? These are quite important (and sometimes expensive) decisions, so it is not surprising that it takes quite a lot of time to reach them. The good thing about SoA is that it forces organizations to do this job in a systematic way.

Therefore, you shouldn’t consider this document as just one of those “overhead documents” that have no use in real life – think of it as the main statement where you define what you want to do with your information security. Written properly, SoA is a perfect overview (list, justification and description) of what needs to be done in information security, why it has to be done, and how it is done.

To learn how to write Statement of Applicability and other mandatory documents, check this free ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

100% privacy respected. Unsubscribe at any time with a single click.

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

ISO 27001 & ISO 22301
Free Downloads

 

Document Template

Statement of Applicability

See Details

Upcoming free webinar
How to use a Documentation Toolkit for the implementation of ISO 27001 / ISO 22301
Wednesday - September 27, 2017

OUR PARTNERS

  • Exemplar Global (formerly RABQSA) is leading international
    authority in certification of training providers.
  • ITIL® is a registered trade mark of AXELOS Limited.
    Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of
    accredited management systems certification.
Request callback
Request callback

Or call us directly

International calls
+1 (646) 759 9933