Nowadays, information security is in the spotlights. Organisations need to ensure compliance against regulation (PCI-DSS, GDPR, PSD2, etc.) but also simply want to show their customers that they conscientiously and securely manage their assets/information. There are many frameworks that help proof your organisation’s security. One of them is ISO27001. You can apply only this framework or you can opt for the ISO27001 certification (a defined scope, a process, your entire organisation, etc.).
In order to be ready for the audit phase, you will need to prepare mandatory documents and run some tasks. For example, risk assessment is one of the tasks in the early phase of implementing ISO27001, this was discussed in a previous article. This article will be focused on a document called ‘Statement of Applicability (SoA)’.
What is it?
The Statement of Applicability is the central document that defines how you will implement a large part of your information security. The very important document is produced after the risk assessment and will be used as input for the implementation of your information security controls. It is a mandatory as you will need to obtain your certification.
Why is it needed?
The clause 6.1.3, which is part of the broader 6.1, focusses on actions to address risks and opportunities. It states that an organisation must produce a Statement of Applicability as a part of the risk treatment process. Auditors will first have a look at the SoA and check your company to see whether you have implemented your controls in the way you described them.
Key elements of the document
Its purpose is to define which of the 114 controls (security measures) from ISO 27001 Annex A you will apply. The documents should include:
- The applicable or not applicable controls
- Justification for inclusion or exclusion
- Whether the controls have been already implemented or not
- How you will implement applicable controls in terms of policy, procedure, people, technology, and so on
Why should you write a SoA?
You performed a risk assessment and produced a risk assessment report (also mandatory). So, why should you write a SoA?
- A risk assessment report can be lengthy and contain a high number of identified risks (a few thousand for large organisations). It isn’t particularly useful for everyday operational practices. SoA is rather short and concise which makes it possible to present to the management and keep it up to date.
- During the risk treatment phase, you identify the controls which are necessary because you decided to reduce the level of risks (based on your risk appetite). However, in SoA you identify the controls which are required because of other reasons. For example, law, contractual requirements and other processes.
- This documentation will need to be available during the audit phase when the auditor will test some of the ISO 27001 controls and ensure they not only describe, but adequately demonstrate that the control objectives are being achieved. One of the most common reasons for failing an ISO27001 audit is because the auditor is unable to draw confidence in the administration of the ISMS and documentation is poorly managed or missing.
- The SoA serves as a roadmap to your Information Security Management System (your implementation of ISO27001), helping you to stay focused and compliant.
How to draw up the document?
Unfortunately, there are no explicitly defined rules for writing your SoA which leaves the details up to you. As long as the SoA contains the right information, is accurate and up to date, you can create it from paper, spreadsheets, documents or professional systems that automate it as part of their Broader GRC module (Governance, Regulation, Compliance).
By writing a good SoA, you could decrease the number of other documents to write. For example, if you want to document a certain control, but the description of the procedure for that control would be rather short, you can describe it in the SoA.
Who does ISO27001 apply to?
ISO 27001 is applicable to all types and sizes of organisations, including public and private companies, government entities and not-for-profit organisations. ISO Standard is a risk-based approach. The controls and policies applied may vary considerably from one organisation to another. This depends on the organisation leadership appetite for information risk and the scope of assets to address risks around. Yet, they can still meet the ISO 27001 control objectives.
What is ISO27001 Annex A?
Annex A of ISO 27001 is a catalogue of the information security controls and objectives that need to be considered during the ISO 27001 implementation. It consists of 114 controls categorised within 14 domains listed below:
- A.5 Information security policies
- A.6 Organisation of information security
- A.7 Human resource security
- A.8 Asset management
- A.9 Access control
- A.10 Cryptography
- A.11 Physical and environmental security
- A.12 Operations security
- A.13 Communications security
- A.14 System acquisition, development, and maintenance
- A.15 Supplier relationships
- A.16 Information security incident management
- A.17 Information security aspects of business continuity management
- A.18 Compliance
What about ISO27002?
ISO27002 is the supplementary standard to ISO 27001. It provides a useful outline for information security controls as well as guidance on how to implement them.
The controls need to be reviewed and regularly updated during the 3-year ISO certification lifecycle. This is part of the ongoing information security management improvement philosophy.
Cybercrime is constantly increasing, therefore cyber security should also move quickly so anything less than an annual review of controls would potentially increase the organisation’s threat exposure. The SoA needs to be reviewed when your policies and controls are reviewed (at least annually) in order for it to still benefit from being an efficient process given the 114 controls to examine.