ISO 27001: How to Write a Statement of Applicability

A recent survey conducted among risk management experts has revealed that cyber incidents are the primary threat to businesses globally in 2022. 

These incidents include cybercrime, IT failure or outages, data breaches, and penalties. This is not good news for your business or data. Due to these concerns and more, many companies are opting for ISO 27001 certification to reduce risks and establish trust with customers who are becoming increasingly concerned about their data. 

A critical aspect of obtaining this certification is the creation of a Statement of Applicability (SoA). If you’re uncertain about how to begin, this post will serve as a quick start guide to simplify the process as much as possible.

What’s an ISO 27001 Statement of Applicability?

The ISO 27001 Statement of Applicability (SoA) is a crucial document required for obtaining ISO 27001 certification. Essentially, it is a comprehensive document that outlines the controls of Annex A that your organization has deemed necessary for managing information security risks, as well as those that have been excluded.

While this document is typically only shared with your organization and the certification body, it is of utmost importance to ensure its accuracy and completeness. Failure to do so can result in delays in the certification process and hinder the achievement of ISO 27001 certification.

To elaborate, the SoA is an internal document that is used to demonstrate the extent to which your organization complies with the Annex A controls of ISO 27001. It is a vital component of the certification process, as it provides an overview of the information security measures that your organization has implemented and the areas that have been excluded. This document is used to verify that your organization has identified the necessary controls to manage information security risks effectively.

In summary, the SoA is a document that provides a clear understanding of the information security measures implemented by an organization and is crucial for obtaining ISO 27001 certification. While it is an internal document, it is essential to ensure its accuracy and completeness to avoid any delays in the certification process.

How to Create Your Statement of Applicability

Here’s a breakdown of the steps you’ll need to take to put together an SoA for your organization.

Understand the Requirements

The first step to writing an ISO 27001 Statement of Applicability is understanding the requirements which can be overwhelming if you’re new to information security or ISO 27001. 

Nevertheless, understanding these requirements will help ensure that your SoA is accurate and complete. For a high-level breakdown of ISO 27001 requirements, check out this guide. 

Conduct a Risk Assessment

To begin the process of writing an ISO 27001 Statement of Applicability, you will need to conduct a risk assessment. The purpose of this step is to evaluate the information security risks that could pose harm or loss to your organization.

If you have already completed a risk assessment, use that information as a starting point. 

If not, start by:

Determining the Appropriate Methodology 

Your risk assessment should be tailored to your organization’s environment and circumstances. In other words, you should choose a risk assessment methodology that gathers the information you need about the particular risks affecting your company.  

Most risk assessments can follow a qualitative approach which uses judgment to categorize risks on a low to high scale of probability, or quantitative, which uses mathematical formulas to calculate expected monetary losses of certain risks. These methodologies can also be combined with other methods like asset-based or threat-based. 

Both ISO 27005 and NIST SP 800-30 standards can provide guidance for determining the most appropriate risk methodology.

Looking for Guidance

If you don’t have a cybersecurity expert on your team, you could hire a consultant to help identify threats that could affect your organization’s ability or success in achieving its goals. They may suggest strategies or tools they’ve used when working with companies in your industry which can help form your own plan.

Again, this can be particularly useful if you’re a new organization or don’t have much experience with risk assessments. Getting input from others can help create a more complete risk profile.

Determine Your Risk Management Strategy

This is the point where you define your risk management strategy, identify security risks, and what you need to implement to manage those risks effectively. For example, an organization may decide to implement an encryption solution for securing sensitive data. 

Once you define all parts of your risk management strategy, you will have a clearer picture of what type(s) of controls will be best suited for addressing each component within your organization’s IT system.

Select the Security Controls Most Relevant to Your Organization

Every company is different, and that means the controls you implement may be unique to your organization or industry.

If you run a large manufacturing business with multiple warehouses where inventory is always being shipped out or returned to storage, then physical access control could be part of your ISO 27001 certification process.

However, other companies may find that they don’t face many physical security risks and that another set of controls are at the top of their priority list. 

Complete the SoA 

At this point, you have everything you need to put your Statement of Applicability together. 

If you have chosen to exclude an Annex A control, it’s important to provide justification for this decision. You should include the risks that were considered and determined not to be a high priority. If possible, explain why a particular risk was deemed unfit for inclusion. 

You will also need to document the reason for including Annex A controls. Typically, the reason for including Annex A controls is because the control was determined to be necessary for mitigating a specific information security risk.

Plan Annual Updates

Once you’ve completed your Statement of Applicability and risk assessment, you’ll need to keep a close eye on it. You should regularly review the document to ensure that you’re still meeting the requirements described in the standard.

Additionally, be sure to stay up to date with any technology changes that may impact your program and risk treatment plan.

Want to put ISO 27001 on autopilot?

Paireds streamlines the ISO 27001 certification process so you can focus on growing your business securely. Schedule a demo to see what our solution can do for you.

%d bloggers like this: