1. How to start documenting Statement of Applicability.
To start documenting the Statement of Applicability you need to perform a risk assessment and risk treatment, to identify the relevant risks and controls (from ISO 27001 Annex A or other sources) you will implement to treat them. Additionally, you need to identify legal requirements (e.g., laws, regulations, and contracts) which require the implementation of specific controls.
In the development of the Statement of Applicability you need to interact with those who participated in the risk assessment and treatment, and in the identification of legal requirements, and they should be the managers and key personnel of the related areas or processes (e.g., for IT, you need to interact with IT manager and systems’ administrator, for Finance, you need to interact with the Finance Manager and a finance specialist, etc.).
This information may help you to start, but please note that this material depends on the contribution of our readers and some of them may be outdated. is strongly recommend hiring legal expert advice to support this activity: