CALL US +49 69 9675 9334

ISO 27001/ISO 22301 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

The importance of Statement of Applicability for ISO 27001

Author: Dejan Kosutic

The importance of Statement of Applicability (sometimes referred to as SoA) is usually underrated – like the Quality Manual in ISO 9001, it is the central document that defines how you will implement a large part of your information security.

Actually, the Statement of Applicability (ISO 27001 Clause 6.1.3 d) is the main link between the risk assessment & treatment and the implementation of your information security – its purpose is to define which of the suggested 114 controls (security measures) from ISO 27001 Annex A you will apply, and for those that are applicable the way they will be implemented. As Annex A is considered to be comprehensive, but not exhaustive for all situations, nothing prevents you from also considering another source for the controls.

Why it is needed

Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons:

  • First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased; however, in SoA you also identify the controls that are required because of other reasons – i.e. because of the law, contractual requirements, because of other processes, etc.
  • Second, the Statement of Applicability justifies the inclusion and exclusion of controls from Annex A, and the inclusion of controls from another source.
  • Third, the Risk Assessment Report could be quite lengthy – some organizations might identify a few thousand risks (sometimes even more), so such a document is not really useful for everyday operational use; on the other hand, the Statement of Applicability is rather short – it has a row for each control (114 from Annex A, plus the added ones), which makes it possible to present it to management and to keep it up-to-date.
  • Fourth, and most important, SoA must document whether each applicable control is already implemented or not. Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g. either by making a reference to a document (policy/procedure/working instruction etc.), or by shortly describing the procedure in use, or equipment that is used.

Actually, if you go for the ISO 27001 certification, the certification auditor will take your Statement of Applicability and walk around your company checking out whether you have implemented your controls in the way you described them in your SoA. It is the central document for doing their on-site audit.

A very small number of companies realize that by writing a good Statement of Applicability you could decrease the number of other documents – for instance, if you want to document a certain control, but if the description of the procedure for that control would be rather short, you can describe it in the SoA. Therefore, you would avoid writing another document.

Why it is useful

In my experience, most companies implementing the information security management system according to ISO 27001 spend much more time writing this document than they anticipated. The reason for this is they have to think about how they will implement their controls: Are they going to buy new equipment? Or change the procedure? Or hire a new employee? These are quite important (and sometimes expensive) decisions, so it is not surprising that it takes quite a lot of time to reach them. The good thing about SoA is that it forces organizations to do this job in a systematic way.

Therefore, you shouldn’t consider this document as just one of those “overhead documents” that have no use in real life – think of it as the main statement where you define what you want to do with your information security. Written properly, SoA is a perfect overview (list, justification and description) of what needs to be done in information security, why it has to be done, and how it is done.

To learn how to write Statement of Applicability and other mandatory documents, check this free ISO 27001 Foundations Online Course.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 27001/ISO 22301 standards.

9 responses to “The importance of Statement of Applicability for ISO 27001”

  1. Luis Daniel Lucio Quiroz says:

    Nice definition, I remember whe we did our fist SoA, it was not easy.

  2. Dayne Skolmen says:

    Hi Dejan

    Thank you for the interesting article.
    Quick question: How would the SoA be impacted by the number of physical locations/sites covered under the ISMS? Would it be advisable to indicate for each control, which sites they have been implemented (or are applicable) at? In addition to this question, how would the SoA change when there is a scope extension?

    I look forward to hearing from you.

    Kind regards,
    Dayne Skolmen

    • Yes, if you have several locations or departments, you can indicate in the SoA for each control in which of these locations or departments the control is implemented. However, if the SoA refers to a policy or a procedure, then this policy/procedure can specify to which locations or departments is it applicable.

      When you extend the ISMS scope, you should perform again the risk assessment and treatment – based on those new inputs, you should update the Statement of Applicability.

  3. Gareth says:

    Hello Dejan,

    Thanks Dayne for the good question.

    I have another: should the SoA be publicly available, or at least on request after signing an NDA? I have a vendor refusing to send me their SoA even after signing an NDA. How am I meant to identify what controls they have/have not been certified against? The certificate references the SoA but I can’t see it.

    Cheers,
    Gareth

    • ISO 27001 does not require the Statement of Applicability to be published, neither is this a requirement from certification bodies.

      Quite often SoA contains very confidential information so in such case I don’t think it should be sent to anyone – of course, the vendor can show such document to an important client, but probably not send it.

  4. ozfan2013 says:

    Hi Dejan,

    It seems like the whole point of the standard is to establish a risk-based security management system, where you can trace the assets through to risks through to controls.

    Does the SoA need to reference the threats/risks that each control is seeking to mitigate? It seems like there can be a disconnect between the risk assessment and the SoA, where the organisation focuses on implementing the “controls” rather than a focus on mitigating the specific risks.

    If the SoA is meant to reference the risk, what do you do about controls like “establishing a security policy”? It’s a general step in establishing a security posture but doesn’t mitigate a specific risk. It contributes to the mitigation of al risks.

    Put another way, how do you balance the general needs of a security program with the specific controls needed for specific risks? (I’m thinking particularly about the documentation requirement differences)

    Regards
    Roy

    • Thanks for your comments, Roy – here are the answers:

      Q: “It seems like the whole point of the standard is to establish a risk-based security management system, where you can trace the assets through to risks through to controls.”
      A: As you stated, the purpose of ISO 27001 is to establish a security management system based on risks, however listing the assets is not mandatory according to the standard, and risks are not the only input – the second major input are the requirements of the interested parties.

      Q: “Does the SoA need to reference the threats/risks that each control is seeking to mitigate? It seems like there can be a disconnect between the risk assessment and the SoA, where the organisation focuses on implementing the “controls” rather than a focus on mitigating the specific risks.”
      A: The Statement of Applicability needs to reference to each risk related to a control. It is enough to refer to risk ID, nothing else is needed.

      Q: “Put another way, how do you balance the general needs of a security program with the specific controls needed for specific risks? (I’m thinking particularly about the documentation requirement differences)”
      A: You need to have a general framework for managing the information security management system – this is done through the top-level Information Security Policy; then you need to write specific policies and procedures for particular controls – e.g. for access control you might write the Access control policy and/or Access control procedure.

      These materials will help you:
      – One Information Security Policy, or several policies? http://advisera.com/27001academy/blog/2013/06/18/one-information-security-policy-or-several-policies/
      – What should you write in your Information Security Policy according to ISO 27001? http://advisera.com/27001academy/blog/2016/05/30/what-should-you-write-in-your-information-security-policy-according-to-iso-27001/

  5. joanne says:

    If another department is accountable and responsible for one of the ISO controls (say HR or Records Management) and they have policies they are responsible for maintaining. Can we mark the SOA as not applicable within the ISMS. Or do we need to mark as applicable indicating the name of their policies, procedures, etc.?

Leave a Reply

Your email address will not be published. Required fields are marked *

FREE ISO 27001/22301 CONSULTATION
Dejan Kosutic
Lead ISO 27001/22301 Expert, Advisera

GET FREE ADVICE

Upcoming free webinar
The basics of risk assessment and treatment according to ISO 27001
Wednesday - November 21, 2018

OUR CLIENTS

OUR PARTNERS

  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.