Statement of Applicability
The ISO 27001 standard is a risk-based standard. So, it’s important to go through your risks, identify the impact and then assess whether you need to treat those risks. The Statement of Applicability (SoA) is a requirement to comply with Annex A of ISO 27001. Auditors will certainly show an interest in this document and its version number will usually appear on your certificate.
Annex A is a list of 114 controls that can be used as a treatment to reduce the impact of those risks. These are common best practice controls that the standard wants you to implement and assess whether you should implement in your organisation.
SoA sets out whether these controls apply to and are implemented by your organization or not. If your organization chooses not to implement a control, it’s mandatory to justify why the control doesn’t apply.
For the controls that your organization implements, it’s mandatory to state why they are applicable, whether and how they are implemented, and to show evidence. In many organizations, most – if not all of the controls will apply. The most common exceptions are when there is no in-house bespoke software development. This results in some of the controls in section A.14.2.1, such as secure development policy, not being applicable. Similarly, if your organization has no remote working or teleworking sites, the control A.6.2.2 would not apply.
The applicable controls may change over time once your organization has become certified, as it starts or stops business or relevant technical activities, or as the organization grows or contracts.
SoA is a summary of your organisation’s implementation status on each of the 114 controls of Annex A of ISO 27001. In Compleye Online, SoA is found in the ISO Certification section. As you work your way down the list of controls you can find 14 chapters and 149 controls.
According to clause 6.1.3 of the standards, SoA must define which controls are identified by your organization to tackle the risks involved in the business. This can be done by conducting an ISO 27001 gap analysis and risk assessment . It’s also important to explain why controls are selected.You must state whether your organization has implemented the selected controls and provide evidence (relevant documents or links to documents) to prove that the implementations are being done. It’s also important to explain why any controls have been omitted. Compleye Online comes in handy here because you can showcase all your documents regarding the audit in the same place.
Completing the SoA can seem like a daunting task, but if you follow the steps on the Wiki, the process will be simpler and even (almost) fun.
The SoA on Compleye Online consists of five main sections.
- The first section contains the 14 chapters followed by the controls divided into each chapter in the second column.
- You can select the applicability of each control by clicking “Yes” or “No” in the third column.
- If a controller is not applicable and you select “No” from the applicability column, the reason in the “Reason” column (fourth column) will select “non-applicable” by default. But you can select more than one reason for one control.
- You can enter your justification and whether the implementation is done, in the “Justification” column.
It is possible for admins to add new controls that are relevant to your organization by using the context menu. The control’s name and the “Justification” fields are mandatory.
The SoA in Compleye has a very useful search option and filters which filter the data by applicability and reasons.
The document can be downloaded and archived once it’s been approved by management.