Part 3: Risk treatment: The ISO 27001 Statement of Applicability

The Statement of Applicability (SoA) is one of the most important ISO 27001 documents you will produce. It should:

  • identify the controls you’ve selected to address the risks you’ve identified,
  • explain why you’ve selected them,
  • state whether or not they have been implemented, and
  • explain why any ISO 27001 Annex A controls have been omitted.

Although ISO 27001 doesn’t require you to use Annex A controls exclusively, you do have to check the controls you select from elsewhere against those in Annex A to ensure that each risk is appropriately mitigated.

This means there will be at least 114 entries in your SoA – one for each Annex A control – each of which will include extra information about each control and, ideally, link to relevant documentation about each control’s implementation.

A risk assessment report can be very long, so an SoA is a very useful document for everyday operational use – a simple demonstration that controls have been implemented and a useful link to the relevant policies, processes and other documentation and systems that have been applied to treat each identified risk.

Think of it as an index to your ISMS.

ISO 27001 technical corrigenda

An important thing to note is that two technical corrigenda were issued in 2014 and 2015 to address ambiguities in the original version of ISO/IEC 27001:2013. One of these corrigenda addresses the subclause that mentions the SoA, so it’s worth discussing here.

ISO 27001 Technical Corrigendum 2: ISO/IEC 27001:2013/Cor.2:2015

Subclause 6.1.3 of ISO 27001:2013 originally stated that:

“The organization shall define and apply an information security risk treatment process to:

[…]

“d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A”.

This was, rightly, deemed ambiguous. Some auditors interpreted it as meaning that the SoA should show:

  • The necessary controls
  • Justification for including those necessary controls
  • Whether or not the necessary controls were implemented
  • Justification for excluding Annex A controls

while others interpreted it as meaning that it should show:

  • The necessary controls
  • Justification for including the necessary controls, regardless of whether or not they had yet been implemented
  • Justification for excluding Annex A controls

This may seem like a relatively minor difference in interpretation, but it led to a number of nonconformities erroneously being raised in certification audits.

ISO/IEC therefore issued a technical corrigendum in early 2015 to amend subclause 6.1.3 d) to read:

  1. d) produce a Statement of Applicability that contains:
  • the necessary controls (see 6.1.3 b) and c));
  • justification for their inclusion;
  • whether the necessary controls are implemented or not; and
  • the justification for excluding any of the Annex A controls.

Technical Corrigendum 2 can be downloaded free of charge direct from ISO’s website, as can Technical Corrigendum 1, which replaces subclause A.8.1.1.

We suggest that you download both when you buy your copy of the Standard. When you purchase the ISO27001 standard from IT Governance, you automatically receive a copy of both.

Simplify the risk assessment process with vsRisk™

vsRisk produces an audit-ready ISO 27001 SoA in real time as you go through your risk assessment, saving you time and money while improving the efficiency of your risk assessment process.

Screenshot of an SoA produced by vsRisk

To find out more about vsRisk, click here >>

Book a free online demonstration >>

Leave a Reply

Your email address will not be published. Required fields are marked *