Statement of Applicability Validation
If an organisation is making use of ISO 27001 as a guideline, but they are not certified as 27001. Is it mandatory for the organisation to have a SoA in place?
Assign topic to the user
First is important to know which objectives you want to achieve (i.e., to which purpose you want to use ISO 27001 as a guideline).
For example, if your organization wants to be fully compliant with ISO 27001, even if you are not intending certification, then the Statement of Applicability is mandatory.
In case your intent does not involve being fully compliant with ISO 27001 (e.g., you only want to adopt some controls of the standard), then the Statement of Applicability is not mandatory, but we strongly recommend that you use it as a good practice, because the SoA can be used as the main guide to understand and provide an overview on how information security is implemented in your organization.
This article will provide you a further explanation about the Statement of Applicability:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Feb 21, 2021