SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / ISO 27001 & 22301 / Statement of Applicability Content

Guest

Statement of Applicability Content

ISO 27001 & 22301
  Quote
Guest
Guest user Created:   Aug 22, 2017 Last commented:   Aug 22, 2017

Statement of Applicability Content

ISO 27001 & 22301
I am taking the training courses for the ISO 27001 foundation course. I have a question regarding the Statement of Applicability document. I understand this document should have the applicable controls from the annex A and some other additional controls. If this document should have applicable controls only, why the table has the option for "Not applicable controls" & the "Reason why N/A"?
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Rhand Leal Aug 22, 2017

I thought the process for identifying applicable controls are done during the evaluation of risks & risk treatment processes. Could you give me an example?

Answer: According ISO 27001, clause 6.1.3 d), the Statement of Applicability is required to fulfil these purposes:
- list the necessary controls and their justification for inclusions; whether they are implemented or not, and
- the justification for exclusions of controls from Annex A

So, presenting the applicable controls is only part of the content you will find in a SoA compliant with ISO 27001. That's why the table presented has the "Not applicable controls" & the "Reason why N/A" options.

R egarding the identification of applicable controls, this is done during the risk treatment processes (the risk evaluation process will help you identify which risks require treatment).

As an example of a not applicable control, if your organization does not access, process or store information at teleworking sites, there is no reason to apply control A.6.2.2 (Teleworking), thus this controls is stated as Not Applicable in your SoA.

On the other hand, if your risk assessment identifies the loss of digital information as unacceptable, or if there is a contractual clause or top management decision demanding this risk to be treated, these reasons would be sufficient to justify the applicability of, let's say, control A.12.3.1 (Information backup).

This article will provide you further explanation about Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

These materials will also help you regarding Statement of Applicability:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 22, 2017

Aug 22, 2017

Suggested Topics
Guest user Created:   Nov 15, 2018 ISO 27001 & 22301
Replies: 1
0 0

Statement of Applicability content
Guest user Created:   Oct 05, 2021 ISO 27001 & 22301
Replies: 1
0 0

Control diversification