Lesson 1, Topic 1
In Progress

Statement of applicability, GAP analysis and risk management

Statement of applicability (SoA)

The Statement of applicability (SoA) describes which measures (controls) from Annex A of ISO27001 must be implemented in your company. The document is indispensable for certification and should therefore be well prepared by you. The SoA makes direct reference to the scope you have chosen by stating whether and to what extent these guidelines and measures have already been implemented or not. There are a total of 114 controls in Annex A of ISO 27001. Keep sensitive data out of the documentation, as the SoA is often passed on to customers or partners with the certificate. The SoA can also have a positive advertising effect if it is designed to be easy to read.

GAP analysis

You can perform a GAP analysis using the document “Evaluation of Norm compliance“. This document refers to the standard chapters 4 to 10 of ISO27001 and is structured in the same way as the SoA was. Also use this document to see where you currently stand and how much you still have ahead of you.

Risk management, risk assessment and risk treatment

Since ISO27001 is risk-based, i.e. all rules are oriented to the actual risk, there must be a risk management system which also contains a risk assessment and a treatment plan. Risk management is concerned in particular with the identification of potential risks and their evaluation with regard to information security. This enables a risk-based weighting of the dangers and the appropriate countermeasures to be taken. In addition, there is a better overview of costs and restrictions that may exceed the benefits.

Tip: Form a risk assessment team. As a result, more risks are often discovered and the different perspectives keep you close to the practice, so that your view of the risks is also sharpened.

The documents “Risk Management Procedure” accompanied by the table “Risk Assessment and Treatment Plan” offer you a simple method to identify, assess and treat your risks. In the process descriptions, you should define the risk classes and describe how to deal with the risks.