What is a Statement of Applicability (SoA) when seeking to achieve ISO 27001 (ISMS)?
A Statement of Applicability (SoA) is a key document in the context of an Information Security Management System (ISMS) based on ISO 27001. The SoA serves as a crucial component of the ISO 27001 certification process and provides transparency and clarity regarding how an organisation has implemented specific security controls to manage information security risks.
Here’s what you need to know about a Statement of Applicability for information security:
- Scope: The SoA outlines the scope of the ISMS, specifying the boundaries of what is covered by the system. This defines which parts of the organisation, processes, and systems are included in the ISMS and which are not.
- Risk Assessment: It lists the results of the organisation’s risk assessment process. This includes identifying information security risks, assessing their impact and likelihood, and determining the level of risk that is acceptable to the organisation.
- Selected Controls: The Statement of Applicability specifies which controls from Annex A of ISO 27001 are relevant and applicable to the organisation.
- Status of Controls: For each selected control, the SoA provides information on the status of its implementation within the organisation. This typically includes one of the following status categories:
- Implemented: The control is fully in place and operational.
- Partially Implemented: The control is partially in place but may require further work.
- Not Applicable: The control is not relevant to the organization’s operations.
- Justifications: If a control is marked as “Not Applicable” or if there are deviations from the standard’s requirements, the SoA should include justifications and explanations for these decisions.
- Objective Evidence: The document may also include references to objective evidence or documentation that demonstrates the implementation and effectiveness of the controls. This evidence is often used during audits and certification assessments.
- Updates: The SoA is not a static document. It should be regularly reviewed and updated to reflect changes in the organisation’s information security environment, including changes in risks, controls, or the scope of the ISMS.
ISO27001: 2022 Information Security Management Systems
The Statement of Applicability is a critical tool for organisations seeking ISO 27001 certification or those aiming to maintain and continuously improve their information security practices. It helps stakeholders, including auditors and certification bodies, understand how an organisation is managing its information security risks in alignment with ISO 27001 requirements.