How to fill Statement of Applicability
Assign topic to the user
For example this has for (6)
A.6.1.1 Information security roles and responsibilities
A.6.1.2 Segregation of duties
A.6.1.3 Contact with authorities
A.6.1.4 Contact with special interest groups
A.6.1.5 Information security in project management
Yet document "A.6.1_Bring_Your_Own_Device_BYOD_Policy_Cloud_EN.docxx" has the following in the table of contents. How are they linked ?
Table of contents
1. PURPOSE, SCOPE AND USERS 3
2. REFERENCE DOCUMENTS 3
3. SECURITY RULES FOR USING BYOD 3
3.1. COMPANY POLICY 3
3.2. WHO IS ALLOWED TO USE BYOD, AND FOR WHAT 3
3.3. WHICH DEVICES ARE ALLOWED 3
3.4. ACCEPTABLE USE 3
3.5. SPECIAL RIGHTS 4
3.6. REIMBURSEMENT 4
3.7. SECURITY BREACHES 5
3.8. TRAINING AND AWARENESS 5
4. MANAGING RECORDS KEPT ON THE BASIS OF THIS DOCUMENT 5
5. VALIDITY AND DOCUMENT MANAGEMENT 5
Plus I do not see: 08_Annex_A_Security_Controls in the download yet it asks for them in 6_Statement_of_Applicability_Cloud
A.5, A.5.1, A.5.1., A.5.1.2
Answer:
To fill out Statement of Applicability (SoA) you have to:
1) Complete the List of legal, regulatory and other requirements, and the Risk treatment table - those two documents will be your main inputs for writing the SoA.
2) Based on those two inputs you decide whether a particular control is applicable or not, i.e. whether you need that control to satisfy a requirement, or to decrease a risk.
3) If a control is applicable, you simply have to look for a document that covers this control - in the "List of documents" (based in the root folder of the toolkit) you will find a cross reference on which controls are covered in which document. In the SoA template there are already suggested documents for most of the controls.
By the way, together with the toolkit you have received the access to the video tutorial which explains how to fill out the Statement of Applicability - there you will see lots of examples on how this is done.
Comment as guest or Sign in
May 11, 2019