Get 2 Documentation Toolkits for the price of 1
Limited-time offer – ends March 28, 2024

Expert Advice Community

Guest

Statement of Applicability

  Quote
Guest
Guest user Created:   Aug 11, 2020 Last commented:   Aug 11, 2020

Statement of Applicability

I hope you don’t mind me contacting you. I bought two of your books through my work.

I have a question about the Statement of Applicability and I was hoping to get your opinion.

1 - My understanding of the SOA is that it lists the 114 controls of Annex A. An organization should select the controls that are ‘applicable’ to safeguard the assets that are in the scope of the organization's ISMS. Is this correct?

There is something I do not understand. The above makes sense if the SOA only applies to 1 asset (for example, a single business system). In this example, 112 out of 114 controls might be applicable. But what happens when you add more and more assets? The 2 controls that are not applicable for the first asset might be applicable for the other assets – eventually, you just end up saying that all 114 controls are applicable and therefore the SOA does not really have much value at this point?

2 - My other question is around risk assessments. If all 114 controls are applicable for a system, does that mean our risk assessment has to cover all 114 controls? Or would a better way be to do a ‘compliance assessment’ to verify which of the 114 controls are applicable and which of those controls are implemented and working effectively and then document the risks based on the control gaps?

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Aug 11, 2020

1 - My understanding of the SOA is that it lists the 114 controls of Annex A. An organization should select the controls that are ‘applicable’ to safeguard the assets that are in the scope of the organization's ISMS. Is this correct?

There is something I do not understand. The above makes sense if the SOA only applies to 1 asset (for example, a single business system). In this example, 112 out of 114 controls might be applicable. But what happens when you add more and more assets? The 2 controls that are not applicable for the first asset might be applicable for the other assets – eventually, you just end up saying that all 114 controls are applicable and therefore the SOA does not really have much value at this point?

When you add more assets, in fact, the number of applicable controls will increase, but from our experience with our customers, smaller companies are usually at ca 100 controls, while larger ones are usually above 110.

For example, for companies that use only Commercial off-the-shelf (COTS) software, there is no need to apply control A.9.4.5 Access control to program source code, because there wouldn't be source codes in the organization.

Please note that the Statement of Applicability purpose is not only to list the applicable controls, but also to provide justification for applicable controls (e.g., needed to treat risk, needed to fulfill a legal requirement, etc.), a justification for non-applicable controls, and the implementation status of the applicable controls. This information can be used to summarize an organization's approach to protect the information and to guide auditors during audits.

For further information, see:

2 - My other question is around risk assessments. If all 114 controls are applicable for a system, does that mean our risk assessment has to cover all 114 controls? Or would a better way be to do a ‘compliance assessment’ to verify which of the 114 controls are applicable and which of those controls are implemented and working effectively and then document the risks based on the control gaps?

 Please note that for ISO 27001 risks and requirements lead to controls applicability, not the other way around.

Considering that, you do not need to identify risks to justify the applicability of all 114 controls, only the controls that are relevant to your organization.

What you could do in the next regular risk review (e.g. in 6 or 12 months time) is to include the risks that you realized were missing from your existing risk assessment.

 This article will provide you a further explanation about risk assessment and risk treatment:

This material will also help you regarding risk assessment and risk treatment:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 11, 2020

Aug 11, 2020