ISO 27001 certification is crucial for any data collecting organisation's information security system. It is a certification that, when achieved, builds trust with customers, grows business values, and offers a safe legal environment for your organisation.
Multiple stages of the ISO 27001 certification process require documentation, and one of the most important documents needed is the statement of applicability. This article provides an in depth understanding of what a statement of applicability is, why it is important and how to create one.
In this Article
- What is the Statement of Applicability (SoA)?
- Why is the statement of applicability important in ISO 27001 certification?
- What information does the Statement of Applicability include?
- What are the benefits of Statement of Applicability?
- How do you create a Statement of Applicability?
- How can DataGuard help you save time when writing a Statement of Applicability?
What is the Statement of Applicability?
The Statement of Applicability (SoA) is an important aspect of an organisation’s information security management system (ISMS). It is the fundamental criteria for organisations to get ISO certification of the ISMS and it’s one of the first things that an external auditor looks for when performing an audit. Additionally, the SoA is part of 6.1.3 of the primary ISO standards for ISO 27001, a component of the larger 6.1 requirements, which is focused on activities that address risks and opportunities.
Using the SoA, an organisation may determine which ISO 27001 controls and policies are currently in place and compare them to the ISO 27001 Annex A controls. ISO 27001 Annex A is a collection of 114 information security controls (in 14 categories) and goals organisations need to consider throughout their ISO 27001 implementations.
The SoA has to be available throughout the audit phase when the auditor tests some of the ISO 27001 controls to check that they explain and sufficiently show that an organisation is accomplishing its control objectives.
ISO 27001 applies to organisations of all sorts and sizes, including public and private organisations, government agencies, and not-for-profit organisations. However, an organisation doesn’t necessarily need to apply all 114 controls outlined in ISO 27001 Annex A; but it must justify which controls it is applying and why.
What controls should be implemented in your organisation?
Implementing controls from Annex A differ from one organisation to the other. You are only required to implement controls that mitigate your organisation's risks. To determine what controls apply to your organisation, you can consider conducting a gap analysis and a risk assessment.
What is an ISO 27001 gap analysis?
An ISO 27001 Gap Analysis, also known as Compliance Assessment or Pre-Evaluation, assesses your organisation's present security posture. A comparison of the organisation's current information security measures with the standards of ISO 27001 is part of the evaluation. Organisations can use this report to help them achieve ISO 27001 certification.
Analysing the present compliance status with the standard and the breadth of the ISMS parameters across all business processes is part of the Gap Analysis process. Organisations can rely on it to give them the information and the control measures they need to fill any gaps. Using the Gap Analysis, organisations may understand how to enhance and simplify their internal information security management systems to satisfy the ISO 27001 standard.
What is an information security risk assessment?
An ISO 27001 risk assessment helps organisations identify and handle occurrences that might jeopardise sensitive data. Cyber criminals can exploit these weaknesses or staff might make mistakes, therefore the procedure begins by recognizing these potential threats, then determining the amount of risk they pose and finally identifying the best course of action to avoid them.
Both gap analysis and information security risk assessment assist organisations in identifying the risks they face, and then connecting them to appropriate controls that need to be implemented.
Each control is described in Annex A, which is a valuable guide. Even so, you'll most likely want something more comprehensive when it comes to the implementation. This is where ISO 27002 comes in.
The ISO 27002 standard is a set of information security standards designed to assist organisations in implementing, maintaining, and improving their information security management. It is a framework that gives best-practice recommendations on how to implement the controls stated in Annex A of ISO 27001, hence it complements and should be examined alongside ISO 27001.
Both ISO standards have information which is needed when compiling your SoA, so you'll want to have copies of both on hand.
Why is the Statement of Applicability important in ISO 27001 certification?
The SoA, in conjunction with the Scope of the information security management system (4.3 of ISO 27001), provides a summary view of the controls employed by the organisation. The SoA is a basic need for ISO certification of the ISMS and, along with the scope, is one of the first items that an auditor would look for in their audit process.
The SoA and Scope encompass the organisation's goods and services, information assets, processing facilities, systems in use, people engaged, and business processes, regardless of whether it is a virtual one-person company or a multi-site multinational operation with thousands of employees.
Customers who face significant information risk (for example, due to GDPR or other commercial information assets) may want to review the Scope and SoA before purchasing from a supplier to ensure that the ISO certification addresses the business areas involved with their assets.
Given the risks and information assets in scope, a well-presented and simple-to-understand SoA demonstrates the link between the relevant and implemented Annex A controls. Customers, auditors, and other interested parties will develop trust in knowing that the organisation is serious about information security management, especially if it's all integrated into a holistic information security management system.
What information does the Statement of Applicability include?
Before we dive into how a statement of applicability is developed, here is a brief list of what needs to be included in an SoA:
- A list of the 114 Annex A controls
- Whether or not each control has been implemented.
- Justification for each control’s inclusion or exclusion.
- A concise explanation of the steps to implement each applicable control, referencing the policy and control that provides the necessary context.
The SoA provides a window into an organisation's Information Security Management System. A lack of understanding of the ISMS’s interconnectivity might lead to difficulties. When an auditor is unable to trust the administration of the ISMS and the documentation is either poorly maintained or absent, an ISO 27001 audit is likely to fail. To avoid this, double-check your document for all of these crucial elements.
What are the benefits of Statement of Applicability?
Apart from being one of the main documents required for ISO 27001 certification, the SoA takes a deeper look at an organisation’s processes and procedures, providing the following benefits:
- SoA provides a wide view of what the company is doing to safeguard its information, and helps identify, organise, and document the security measures in place by giving traceability between the controls of the standard and what is done in the business.
- It provides a rationale for the inclusion or exclusion of each control, which are components that are not included in the Risk Assessment.
- The key recommendation for both internal and external auditors is to document every appropriate control and indicate whether it has been applied or not. In most cases, an auditor will first review the Statement of Applicability, and then carry out the audit and verify that the documentation follows the stated requirements.
- An SoA can have a substantial impact on the regulatory environment as well. The document can be used to establish that your defences were the result of an ISO 27001-compliant risk assessment in the event of a data breach investigation.
Now that you understand the importance of an SoA and what benefits it can bring to your organisation, let’s take a look at how to create one.
How do you create a Statement of Applicability?
If you have never done an ISO 27001 risk assessment or created a Statement of Applicability, or even if you simply wish to enhance your strategy and outcomes, six stages can help you construct a successful ISO 27001 SoA.
Stage 1: Understand what controls need to be included and how to incorporate them
Your Statement of Applicability preparation begins with an awareness of how many controls and which of 114 controls will be included. As previously stated, each item will include further information about the control and, if possible, link to relevant resources regarding the control's implementation.
Stage 2: Identify and analyse risks
Identify and examine any hidden risks that might jeopardise the confidentiality, integrity, and availability of any asset covered by your ISMS with your team. The first step is to identify any risks that may exist. The second step is to identify any vulnerabilities in your asset and any threats that may be able to exploit those vulnerabilities.
Stage 3: Choose controls to treat risks
After identifying and analysing risks, you must take steps to decrease them to a manageable level. Risks can be addressed in four ways, according to ISO 27001:
- Retain or tolerate
- Avoid or terminate
- Share or transfer
- Modify or treat
This stage offers you the opportunity to deploy security measures that are most likely to lessen the effect or likelihood of the risk in question.
Stage 4: Develop a Risk Treatment Plan
As part of a certified ISO 27001 ISMS, create a risk treatment plan (RTP) that includes a summary of each detected risk, the solutions chosen for each risk, the owner of each risk, and the projected implementation date of the RTP.
Stage 5: Provide a list of recommended controls
Each control proposed in Annex A must be listed in your SoA, and you must declare whether or not you have implemented each one. When a specific Annex A control is included or omitted, you must offer a reason.
Step 6: Maintain your Statement of Applicability
Your organisation's reaction and adaptability to security challenges, and the ISO's guidelines for the SoA, should be taken into consideration while drafting your document. The International Organisation for Standardisation (ISO) constantly updates its standards to keep up with the rapid developments in technology and how businesses adapt to them.
For these reasons, you must update your SoA regularly to reflect the controls you employ daily and how they develop over time, to remain consistent with your own ISMS and the ISO's concept.
How can DataGuard help you save time when writing a Statement of Applicability?
With a correctly maintained SoA, the management of your organisation’s ISMS will be smooth and error-free now and in the future. Creating an SoA involves performing a risk assessment and gap analysis to properly understand the controls your organisation needs and how to implement them.
Creating an SoA may be daunting, especially if this is your first time, but we are here to help and bridge any knowledge gaps. Experts at DataGuard are ready to assist you at every step of creating your SoA in your journey to becoming ISO 27001 certified. So book an appointment and get started now.