Part 3: Risk treatment: The ISO 27001 Statement of Applicability

Part 3: Risk treatment: The ISO 27001 Statement of Applicability

The SoA (Statement of Applicability) is one of the most important ISO 27001 documents you will produce. It should:

  • Identify the controls you’ve selected to address the risks you’ve identified;
  • Explain why you’ve selected them;
  • State whether or not they have been implemented; and
  • Explain why any ISO 27001 Annex A controls have been omitted.

Although ISO 27001 doesn’t require you to use Annex A controls exclusively, you do have to check the controls you select from elsewhere against those in Annex A to ensure that each risk is appropriately mitigated.

This means there will be at least 114 entries in your SoA – one for each Annex A control – each of which will include extra information about each control and, ideally, link to relevant documentation about each control’s implementation.

A risk assessment report can be very long, so an SoA is very useful for everyday operational use. It provides a simple demonstration that controls have been implemented and a useful link to the relevant policies, processes and other documentation and systems that have been applied to treat each identified risk.

Think of it as an index to your ISMS (information security management system).

ISO 27001 technical corrigenda

In 2014 and 2015, two technical corrigenda were issued to address ambiguities in the original version of ISO/IEC 27001:2013. One of these addresses the subclause that mentions the SoA.

ISO 27001 Technical Corrigendum 2: ISO/IEC 27001:2013/Cor.2:2015

Subclause 6.1.3 of ISO 27001:2013 originally stated that:

“The organization shall define and apply an information security risk treatment process to:

[…]

  1. d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.”

This was, rightly, deemed ambiguous. Some auditors interpreted it as meaning that the SoA should show:

  • The necessary controls;
  • Justification for including those necessary controls;
  • Whether or not the necessary controls were implemented; and
  • Justification for excluding Annex A controls.

Others interpreted it as meaning that it should show:

  • The necessary controls;
  • Justification for including the necessary controls, regardless of whether or not they had been implemented; and
  • Justification for excluding Annex A controls.

This may seem like a relatively minor difference in interpretation, but it led to a number of nonconformities erroneously being raised in certification audits.

ISO/IEC therefore issued a technical corrigendum in early 2015 to amend subclause 6.1.3 d) to read:

“d) produce a Statement of Applicability that contains:

  • the necessary controls (see 6.1.3 b) and c));
  • justification for their inclusion;
  • whether the necessary controls are implemented or not; and
  • the justification for excluding any of the Annex A controls.”

Technical Corrigendum 2 can be downloaded free of charge direct from ISO’s website, as can Technical Corrigendum 1, which replaces subclause A.8.1.1.

When you purchase the ISO 27001 standard from IT Governance, you automatically receive a copy of both.

Simplify the risk assessment process with vsRisk Cloud

vsRisk Cloud produces an audit-ready ISO 27001 SoA in real time as you go through your risk assessment, saving you time and money while improving the efficiency of your risk assessment process.

Screenshot of an SoA produced by vsRisk Cloud

Want to learn more about vsRisk Cloud?

View our short introductory video here.

For further information and to sign up for a demo, please click here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.