Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Frequency of updating the Statement of Applicability

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Frequency of updating the Statement of Applicability

I would just like to inquire on the frequency of updating the statement of applicability? Is there a need to update it after ISMS implementation?  Say for example during the initial phase, one of the controls is not yet implemented but after a year, it was already documented and already in practice.  Do we have to update the SOA because of that change?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Guest
DejanK Jan 13, 2016

Answer:

ISO 27001:2013 in its clause 6.1.3 d) says "produce a Statement of Applicability that contains the necessary controls... whether they are implemented or not". Therefore, you need to update SoA once the status of your controls changes.

I think that updating the SoA once a year would be too infrequent, however if you do it once a month or quarterly that would be fine.
Quote
0 0
Guest
Guest post Jan 13, 2016
The Statement of Applicability or SoA, just like any other documented information within the ISMS, needs to be reviewed for suitability and adequacy (Cl. 7.5.2, ISO/IEC 27001:2013).

When controls are added, excluded or modified, corresponding change must be effected to the SoA through proper change control mechanisms (Cl. 7.5.3.e, ISO/IEC 27001:2013).

Otherwise, the SoA would be not suitable or adequate to the organization anymore since it will contain outdated information.

Normally, I would have a policy that has a fixed and instant review points for documented information.  

Fixed review could be an annual review by the document owner or process owner.  
Instant review would be when there are changes to the ISMS that affects documented information e.g. changes in technology used; changes in personnel that are nominated in disaster recovery plans or business continuity plans; changes in legal requirements, etc.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics

Guest user Created:   Jul 07, 2021 ISO 27001 & 22301
Replies: 1
0 0

Statement of Applicability

Guest user Created:   May 05, 2021 ISO 27001 & 22301
Replies: 1
0 0

ISMS Scope Statement

Guest user Created:   Mar 26, 2021 ISO 27001 & 22301
Replies: 1
0 0

DRP applicability