The SoA document has a central role during the auditĪctually, if you go for the ISO 27001 certification, the certification auditor will take your Statement of Applicability and walk around your company checking out whether you have implemented your controls in the way you described them in your SoA. That’s why organizations can also consider other sources for the controls (e.g., NIST special publications, ENISA guidelines, etc.).
Please note that Annex A is considered to be comprehensive, but not exhaustive for all situations.
justification for the exclusion of controls from Annex A that are not applicable. the implementation status of applicable controls (i.e., if they are implemented or not). justification for inclusion of controls that are applicable. definition of which controls (security measures) will be applied, covering the suggested controls from ISO 27001 Annex A and potentially those from other sources. What are the mandatory elements of the SoA?Īccording to the standard, these are the requirements from clause 6.1.3 d) to be fulfilled by a Statement of Applicability document: Good practice (and most auditors will be looking for this) is also to describe how each applicable control is implemented – e.g., either by making a reference to a document (policy/procedure/working instruction etc.), or by shortly describing the procedure in use, or equipment that is used. Fourth, and most important, SoA documents the implementation status of proposed controls. Third, the Risk Assessment Report could be quite lengthy – some organizations might identify a few thousand risks (sometimes even more), so such a document is not really useful for everyday operational use on the other hand, the Statement of Applicability is rather short – it has a row for each control (controls from Annex A, plus the added ones), which makes it possible to present it to management and to keep it up-to-date. Second, the ISO 27001 Statement of Applicability justifies the inclusion and exclusion of controls from Annex A, and the inclusion of controls from another source. First of all, during risk treatment you identify the controls that are necessary because you identified risks that need to be decreased however, in SoA you also identify the controls that are required because of other reasons – i.e., because of the law, contractual requirements, because of other processes, etc. 
Now why is such a document necessary when you already produced the Risk Assessment Report (which is also mandatory), and which also defines the necessary controls? Here are the reasons:
ISO 27001 Statement of Applicability – Why it is needed
0 kommentar(er)
