The SoA (Statement of Applicability) is one of the key documents in an ISO 27001 ISMS (information security management system).
It identifies the controls you have selected to address the risks that were identified in the risk assessment process, explains why those controls have been selected, states whether or not they have been implemented, and explains why any Annex A controls have been omitted.
As such, it provides an effective outline of the entire ISMS.
What does ISO 27001:2013 require?
The original version of ISO 27001:2013 was deemed unclear, so ISO/IEC issued a technical corrigendum in 2015 to amend subclause 6.1.3, which sets out the requirements of an SoA.
This clarifies that, as part of the risk treatment process, organisations must produce an SoA that contains:
- the necessary controls;
- justification for their inclusion;
- whether the necessary controls are implemented or not; and
- the justification for excluding any of the Annex A controls.
We suggest that you download both corrigenda when you buy your copy of ISO 27001. When you purchase the Standard from IT Governance, you’ll automatically receive a copy of both.
Legal, contractual and regulatory requirements
ISO 27001 requires an ISMS to take account of – and to document – the organisation’s legal, statutory, regulatory or contractual requirements, and its approach to meeting them.
The SoA will record information about controls that relate to these requirements, and indicate whether they were implemented for reasons other than the risk assessment.
Benefits of the SoA
A risk assessment report can be quite lengthy – indeed, some organisations might identify thousands of risks – and is therefore not particularly useful for everyday operational use.
The SoA, however, is relatively concise and can be used as an overview of the entire ISMS.
The SoA is also useful as a simple way of identifying the policies, procedures and other documentation or systems that have been applied in order to treat the identified risks.
The SoA must be updated regularly in line with the continual improvement philosophy of ISO 27001:2013, and as evidence of improvements to controls or compliance requirements.
Producing an SoA with vsRisk™
Vigilant Software’s risk assessment software vsRisk automatically builds an SoA as you conduct your risk assessment. It provides all the information you require, in an audit-ready format.
Here’s what a vsRisk-created SoA looks like:
Meanwhile, its integrated risk, vulnerability and threat databases eliminate the need to compile a list of risks, and the built-in control sets help you comply with multiple frameworks.