The Statement of Applicability Is A Crucial Component of An ISO 27001 Risk Assessment
The Statement of Applicability (SoA) is a mandatory document that you need to develop, prepare and submit with your ISO 27001, and it is crucial when it comes to obtaining your ISO 27001 Risk Assessment and ISMS certification.
An ISO 27001 Risk Assessment is a crucial section of a series of information management standards set forth by the International Organization of Standardization (ISO) and the International Electrotechnical Commission (IEC) and is intended to serve as a framework of policies—also known as Information Security Management Systems (ISMS)— that cover legal, physical and technical controls relating to a business’s information risk processes.
What Is A Standard Statement of Applicability?
While the ISO 27001 is not a requirement for businesses to perform, you will find that you, your clients and your stakeholders will appreciate your doing so.
Once you decide to perform an ISO 27001 Risk Assessment, it is important to understand that there are key tasks that you must perform to obtain ISMS certification. The Statement of Applicability is one of those requirements.
The rules for developing your Statement of Accountability are not explicitly defined, which leaves many of the details up to you and organization. There are some key elements that can help steer you toward developing a highly effective SoA.
According to ISO/IEC 27001:2013, organizations performing a ISO 27001 Risk Assessment must produce a Statement of Accountability that includes the following:
- A listing of established security controls, based on specific operations, that serve to safely manage collected, stored and transmitted customer data.
- Justifications for including controls.
- Whether the controls have been implemented or not.
- Justifications as to why any of the ISO 27001 Annex A controls were excluded.
Why Is the Statement of Applicability So Important?
Most importantly, ISO 27001 requires that each ISMS includes an account and documentation of your company’s legal, statutory, regulator and contractual requirements regarding information security, as well as a detailed description of your approach in meeting those requirements.
Your detailed SoA offers you the chance to record the controls that you choose for your organization to meet those requirements and also provides information on whether the controls were implemented for reasons apart from risk assessment.
Essentially, your Statement of Accountability serves as a roadmap to your ISMS, helping you stay focused and compliant on all fronts for everyone’s benefit.
6 Steps to Help You Develop An Effective ISO 27001 Statement Of Applicability
If you are new to performing an ISO 27001 Risk Assessment, along with developing a Statement of Accountability, or you just want to improve your approach and results, there are five steps that can help you develop an effective ISO 27001 Statement of Accountability that you can manage and update easily.
1. Understand the Controls You Need to Include and How to Include Them
The first step in launching your Statement of Applicability preparation is understanding how many controls, as well as which controls, it will include. IT Governance notes that the SoA includes 114 entries, which corresponds to each Annex A control.
Each entry will provide additional details about the respective control and will, if possible, link to relevant documentation about the implementation of that control.
2. Identify and Analyze Risks
Work with your team to explore your controls to identify and analyze all lurking risks that could potentially compromise the confidentiality, integrity and availability of any asset within the scope of your ISMS. Once you uncover any risks, you need to analyze how the risk might occur, which may further involve identifying a vulnerability in your asset and any threat that could possibly exploit that vulnerability.
3. Choose Controls to Treat Risks
Once you discover and analyze risks, you need to mitigate those risks to reduce them to a workable level. ISO 27001 recommends four ways to treat risks:
- Retain or tolerate
- Avoid or terminate
- Share or transfer
- Modify or treat
Ultimately, this step gives you the chance to apply security controls that will most likely reduce the impact or likelihood of that risk.
4. Develop a Risk Treatment Plan
Produce your risk treatment plan (RTP) as an integral part of a certified ISO 27001 ISMS, providing a summary of each identified risk, along with the responses determined for each risk, the owner of each risk and the anticipated date of application of the RTP.
5. Provide a List of Implement Controls
Your SoA requires a list of all controls recommended by Annex A, along with your statement as to whether each control has been applied or not. If you have included or excluded a specific Annex A control, you must provide a justification each instance.
6. Maintain Your Statement of Applicability
Keep in mind that the SoA is not a static document, according to your own organization’s response and adaptation to security issues, as well as the standards set forth by the ISO. The ISO is continually working to improve the standards to reflect the rapid changes in technology and how businesses adapt to those changes.
With those factors in mind, it is important to make regular updates to your SoA to reflect the controls that you use each day, as well as how they change over time, to stay aligned with your own ISMS and the ISO’s philosophy.
Let Us Help You Start Writing Your ISO 27001 Statement Of Applicability
If you are preparing for your upcoming ISO 27001 Risk Assessment and still need to prepare or update your Statement of Applicability, our I.S. Partners, LLC. team can help streamline the process. Our auditors can take you through each step listed and can help you dig a little deeper for the best possible outcome.