Documenting Statement of Applicability
1. How to start documenting Statement of Applicability.
2. What approach to follow?
3. Who all should one interact with?
Assign topic to the user
1. How to start documenting Statement of Applicability.
To start documenting the Statement of Applicability you need to perform a risk assessment and risk treatment, to identify the relevant risks and controls (from ISO 27001 Annex A or other sources) you will implement to treat them. Additionally, you need to identify legal requirements (e.g., laws, regulations, and contracts) which require the implementation of specific controls.
For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
2. What approach to follow?
According to ISO 27001, the following information must be included in the SOA:
- All applied controls
- Justification for inclusions
- Implementation status
- justification for exclusions of controls from Annex A
You can also add information you consider relevant to help manage the ISMS (e.g., a brief description of how the control is implemented).
Regarding the format, you can adapt the information to any format your organization considers proper (a document, a spreadsheet, etc.)
To see how a Statement of Applicability of compliant with ISO 27001 looks like, please see the free demo on this link: https://advisera.com/27001academy/documentation/statement-of-applicability/
3. Who all should one interact with?
In the development of the Statement of Applicability you need to interact with those who participated in the risk assessment and treatment, and in the identification of legal requirements, and they should be the managers and key personnel of the related areas or processes (e.g., for IT, you need to interact with IT manager and systems’ administrator, for Finance, you need to interact with the Finance Manager and a finance specialist, etc.).
This information may help you to start, but please note that this material depends on the contribution of our readers and some of them may be outdated. is strongly recommend hiring legal expert advice to support this activity:
- Laws and regulations on information security and business continuity https://advisera.com/27001academy/knowledgebase/laws-regulations-information-security-business-continuity/
For further information, see:
- How to identify ISMS requirements of interested parties in ISO 27001 https://advisera.com/27001academy/blog/2017/02/06/how-to-identify-isms-requirements-of-interested-parties-in-iso-27001/
Comment as guest or Sign in
Mar 05, 2021