Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Who writes the Statement of Applicability?

Now I'm in the Statement of Applicability, but I have some doubts about it, for example, who has to fill the information of the SoA? The CISO or the departments involved? For example, for the controls of the item A.7 Human Resource Security is with the Human Resources Department? And, is necessary to establish the maturity level of those controls?

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

Answer: ISO 27001 does not define who should write the Statement of Applicability, but good practice is that this document is written by a person who is a project manager for the ISO 27001 implementation - in most cases this is the CISO. Project manager/CISO is usually in the best position to collect all the information from other departments and fill them into the SoA.

If you had several people updating the SoA, you would have a problem of integrity of this document.

ISO 27001 does not require you to determine the maturity level of the controls, it only requires you to state whether they are implemented or not (clause 6.1.3 d).

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community