Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Documenting Statement of Applicability

  Quote
Guest
Guest user Created:   Mar 05, 2021 Last commented:   Mar 05, 2021

Documenting Statement of Applicability

1. How to start documenting Statement of Applicability.

2. What approach to follow?

3. Who all should one interact with?

 

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 05, 2021

1. How to start documenting Statement of Applicability.

To start documenting the Statement of Applicability you need to perform a risk assessment and risk treatment, to identify the relevant risks and controls (from ISO 27001 Annex A or other sources) you will implement to treat them. Additionally, you need to identify legal requirements (e.g., laws, regulations, and contracts) which require the implementation of specific controls.

For further information, see:

2. What approach to follow?

According to ISO 27001, the following information must be included in the SOA:

  • All applied controls
  • Justification for inclusions
  • Implementation status
  • justification for exclusions of controls from Annex A

You can also add information you consider relevant to help manage the ISMS (e.g., a brief description of how the control is implemented).

Regarding the format, you can adapt the information to any format your organization considers proper (a document, a spreadsheet, etc.)

To see how a Statement of Applicability of compliant with ISO 27001 looks like, please see the free demo on this link: https://advisera.com/27001academy/documentation/statement-of-applicability/

3. Who all should one interact with?

In the development of the Statement of Applicability you need to interact with those who participated in the risk assessment and treatment, and in the identification of legal requirements, and they should be the managers and key personnel of the related areas or processes (e.g., for IT, you need to interact with IT manager and systems’ administrator, for Finance, you need to interact with the Finance Manager and a finance specialist, etc.).

This information may help you to start, but please note that this material depends on the contribution of our readers and some of them may be outdated. is strongly recommend hiring legal expert advice to support this activity:

For further information, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 05, 2021

Mar 05, 2021