Step-by-Step Guide for Creating an ISO® 27001 Statement of Applicability

Cybersecurity incidents have increased by 67% from 2014-2019, causing organizations in the US alone to suffer financial losses amounting to $27.4 million. 

In response to these concerning statistics, the Statement of Applicability (SoA) has become a vital document for organizations seeking to protect their information assets and show compliance. The SoA acts as a guide throughout the ISO® 27001 certification process, providing an overview of how information security is implemented within the organization. 

This ISMS Connect guide empowers professionals with the knowledge and tools needed to leverage the potential of the SoA in their critical endeavors. With an understanding of the SoA’s role in information security, professionals can proactively protect their organizations, mitigate risks, and ensure compliance with industry standards.

What Is a Statement of Applicability for ISO® 27001?

A Statement of Applicability (SoA) for ISO® 27001 is a document that forms an integral part of your information security management system (ISMS) and is one of the most important documents you’ll need to develop for ISO® 27001:2022 certification.

The SoA provides a comprehensive list of all ISO® 27001 Annex A controls and determines whether each control applies to the organization or not. It also outlines the implementation of the controls and references the relevant documentation for each control. Additionally, it should include any controls that are not relevant to the organization and provide reasons for their exclusion.

According to Clause 6.1.3 of the ISO® 27001 Standard, the SOA must:

• List the controls identified in response to the identified risks.

• Explain the selection and implementation of the controls, as well as the reasons for omitting any controls, if applicable.

The SoA must undergo a review and obtain approval from management or the relevant authority within the organization. Due to its sensitive nature, the SOA should be treated as a confidential document that contains details about an organization’s security controls.

To further simplify the process of information security management and ISO® 27001 certification, consider exploring ISMS Connect—a platform dedicated to assisting SMBs in achieving certification. ISMS Connect offers templates, guides, and access to consultants, making the certification process more accessible and cost-effective.

Why Is a Statement of Applicability for ISO® 27001 Important?

Allows Traceability

The Statement of Applicability for ISO 27001 allows traceability by documenting the controls that will be applied, the justification for their inclusion, the implementation status of each control, and the justification for excluding controls that are not applicable. This document serves as a central reference point to track how information security is implemented in an organization and ensures that the necessary controls are in place to manage risks effectively.

Cuts Down on Paperwork 

The SoA is a short document that has a row for each control (controls from Annex A, plus the added ones), making it possible to present it to management and to keep it up-to-date. This makes it easier to manage information security risks and prioritize security efforts.

Enhances day-to-day risk management

Some organizations might identify thousands of risks, making documents like risk assessment reports too unwieldy for day-to-day use. The SoA provides a relatively short, single source of information about the security controls that are in place and makes it easier to keep the document up-to-date.

How to Create a Statement of Applicability for ISO® 27001

Step 1: Understand the Requirements

Before diving into the creation of your SoA, it's imperative to understand the requirements of ISO® 27001. The SoA is essentially a comprehensive document that contains all the information security controls relevant to your organization. 

These controls are derived from Annex A of ISO® 27001, which encompasses a list of 93 controls. We have an in-depth guide to ISO® 27001 controls on the blog, so be sure to check that out before moving forward.

Step 2: Conduct a Risk Assessment

The next critical step is conducting a comprehensive risk assessment. This process involves identifying, evaluating, and managing risks that could impact your organization's information security. Key elements of this step include:

a) Determining the Appropriate Methodology

Choose the risk assessment methodology that aligns with your organization's specific needs and objectives. 

Options include:

• OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation): Developed by the Software Engineering Institute (SEI), OCTAVE addresses challenges related to information security compliance. Its primary goal is to align an organization's objectives with its information security efforts. OCTAVE is particularly aimed at individuals responsible for managing an organization's operational risks. It helps organizations establish qualitative criteria for evaluating operational risk tolerance, pinpoint crucial assets, identify vulnerabilities and threats to those assets, assess potential consequences of realized threats, and initiate continuous improvement actions to mitigate risks.

• NIST SP 800-30: Provided by the National Institute of Standards and Technology (NIST), this guide offers comprehensive instructions for conducting risk assessments. It covers three key phases: preparation for the assessment, conducting the assessment, and maintaining it. Additionally, it emphasizes how risk assessments fit into the broader organizational risk management process, highlighting their role in informing and complementing other risk management activities.

• ISO® 27005: This standard provides guidelines for managing information security risks. It complements the principles outlined in ISO® 27001 and supports the effective implementation of information security through a risk management approach. ISO® 27001's Risk Assessment & Treatment guide underscores that risk management comprises two main elements—risk assessment (often referred to as risk analysis) and risk treatment. The risk assessment process involves identifying information security risks, assessing their likelihood and impact, and laying the foundation for subsequent risk mitigation strategies.

b) Seek Guidance

When conducting a risk assessment, it is often advantageous to seek guidance from reputable external sources. These sources have been developed by experts in the field and offer a wealth of knowledge and best practices that can enhance your own risk assessment process.

Here's a brief overview of a few resources:

• ISO® 27001: This international standard provides guidelines for the selection and implementation of information security controls, as well as the adoption of information security standards and practices. It is intended for use by organizations within the framework of an ISMS based on ISO® 27001. ISO® 27001 helps organizations implement information security controls based on globally recognized best practices and develop their own information security management guidelines.

• NIST SP 800-53: This set of standards from NIST assists federal agencies and contractors in meeting the requirements outlined by the Federal Information Security Management Act (FISMA). It presents a comprehensive catalog of security and privacy controls for safeguarding information systems and organizations, protecting operational assets, individuals, other entities, and the nation from a wide range of threats and risks.

• CIS Controls: The CIS Critical Security Controls (CIS Controls) are a clear, prioritized, and simplified set of best practices designed to bolster your cybersecurity posture. They are aligned with and referenced by various legal, regulatory, and policy frameworks. These controls consist of specific safeguards, each focused on a single cybersecurity task. This streamlined approach to cybersecurity has proven to be effective in defending against contemporary threats.

Step 3: Choose Controls to Treat Risks

ISO® 27001 outlines four risk treatment options:

• Retain or Tolerate: This choice is made when the identified risk is within the organization's acceptable threshold. The organization recognizes the risk but chooses not to implement additional controls. This decision is often based on a cost-benefit analysis, where the expense of mitigating the risk is deemed higher than the potential harm it may cause.

• Avoid or Terminate: This strategy eliminates the risk by discontinuing the associated activity or process. For instance, an organization may discontinue using a software application that poses a high-security risk to remove the risk.

• Share or Transfer: The organization transfers risk to a third party through outsourcing, insurance coverage, or partnerships. For example, data loss risk can be transferred by outsourcing data backup and recovery to a third-party provider responsible for mitigating it.

• Modify or Treat: This method entails reducing the risk by implementing suitable security controls. These controls are typically selected from the list of 93 controls specified in Annex A of ISO® 27001. The implementation of these controls is a fundamental part of the risk treatment process and is documented in a risk treatment plan.

The choice of which risk treatment option to pursue should align closely with your organization's risk management strategy and information security objectives. These controls play a pivotal role in fortifying your organization's security posture and ensuring compliance with ISO® 27001 standards.

Step 4: Complete the Risk Treatment Plan

With selected controls in hand, create a comprehensive risk treatment plan. This plan should delineate the specifics of how you intend to implement and execute the chosen controls effectively.

For example, your plan might specify that access control measures will include role-based access, strong password policies, and regular access reviews. Encryption might involve implementing end-to-end encryption for sensitive data in transit.

Step 5: Create a SoA

Now, you're ready to craft your SoA. 

This pivotal document should provide a comprehensive list of the information security controls that are relevant and applicable to your organization based on the earlier risk assessment and treatment steps.

For instance, your SoA might specify that access control measures will apply to all employees and contractors with access to sensitive data, and it will detail the encryption algorithms and key management procedures to be used.

Typically, the SoA is organized as a spreadsheet, as it allows for easy categorization and organization of the controls and their details (see pic below). However, any document that can be divided into sections can be used effectively for this purpose.

The process starts with focusing on the Justification for Control Inclusion column and identifying the purpose of each control. The controls are based on security best practices and help mitigate risks within the company. Contractual obligations and additional standards, such as GDPR, may also be considered.

In the Status or % column, the status of each control is filled in (i.e., implemented, excluded, in-process, or not started). Controls may be excluded if third parties are responsible for managing the associated risks. The Compliance Page, specifically Annex A 5, provides more specific information on the tests included in each control’s implementation and helps determine their status.

Step 6: Leverage Online Resources

For SMBs that lack the resources to rely on expensive consulting services, online resources can be a great source of information. Look for blogs, whitepapers, and other resources that discuss the specific compliance requirements your organization faces.

Looking for a more personalized alternative? At ISMS Connect, we simplify complex information security topics and provide direct access to templates, guides, and consultant support within their community.

Elona Health GmbH, under the leadership of Managing Director Magnus Schückes, has successfully achieved ISO® 27001 certification within a remarkably short timeframe. This accomplishment was made possible thanks to the implementation of ISMS Connect.

By leveraging ISMS Connect and its features, Elona Health GmbH was able to streamline its processes and acquire the necessary knowledge to navigate the complexities of information security. Our platform’s intuitive templates played a crucial role in integrating the principles of ISO® 27001 into the company’s operations, ensuring a seamless and efficient transition.

Conclusion

The Statement of Applicability (SoA) is a crucial document for organizations looking to strengthen their information security, achieve ISO® 27001 compliance, and effectively manage cyber threats.

ISMS Connect supports SMBs in their journey to ISO® 27001 certification by providing valuable resources, templates, and expert guidance. By following these steps and taking advantage of ISMS Connect’s resources, organizations can strengthen their information security, adapt to changing risks, and ensure compliance with industry standards. 

Sign up for ISMS Connect to get started.