Expert Advice Community

Guest

Statement of Applicability

  Quote
Guest
Guest user Created:   Nov 27, 2018 Last commented:   Nov 27, 2018

Statement of Applicability

My questions revolve around Annex A - in what format do we use Annex A in documentation. Do we leave it as it is provided by the standard? Do we annotate our specifics into it? Is it an actual Annex to the main ISMS document? When I look at the Statement of Applicability - it is identical but used in an audit / gap analysis context. Does the SOA include Annex A, in which case it is Annex A or should they be kept separate? I think I understand the functionality of the main ISMS document and the SOA - I just dont see how Annex A is used without duplication of information with the SOA.
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Nov 27, 2018

Answer:

ISO 27001 Annex A is not to be used as a document for the ISMS. It is a reference for the definition of which controls to use to protect information and to built the Statement of Applicability. The SoA differs from Annex A because it only makes reference to the controls on Annex A (it does not contain the description of each control), and contains other information, such as which controls are applicable, whether they are implemented or not, and justi fication of controls from Annex A you are not using.

To see how a Statement of Applicability looks like, I suggest you to take a look at the free demo of our Statement of Applicability template at this link: https://advisera.com/27001academy/documentation/statement-of-applicability/

These articles will provide you further explanation about Statement of Applicability and ISO 27001 documentation:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- How to structure the documents for ISO 27001 Annex A controls https://advisera.com/27001academy/blog/2014/11/03/how-to-structure-the-documents-for-iso-27001-annex-a-controls/

These materials will also help you regarding Statement of Applicability and ISO 27001 documentation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://training.advisera.com/course/iso-27001-foundations-course/
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 27, 2018

Nov 27, 2018