The Statement of Applicability (SoA) is a key part of an organization’s information security management system (ISMS).
The SoA is the main requirement for companies to achieve ISO certification of the ISMS and it’s one of the first things that an auditor looks for when conducting an audit. Additionally, SoA is one of the most important documents in terms of ISO 27001 compliance.
The SoA has to be available during the audit phase when the auditor tests some of the ISO 27001 controls to ensure that they describe as well as adequately demonstrate that an organization is achieving its control objectives. A company will typically fail an ISO27001 audit or certification if the auditor lacks confidence in the administration of the ISMS and the documentation is managed poorly or missing entirely.
The SoA identifies what ISO 27001 controls and policies a company is using and also benchmarks against the ISO 27001 Annex A controls. ISO 27001 Annex A is a catalogue of the information security controls and objectives companies need to consider during their ISO 27001 implementations.
ISO 27001 applies to companies of all types and sizes, including public and private companies, government entities, and not-for-profit organizations. However, an organization doesn’t necessarily need to apply all 114 information security controls (in 14 categories) set forth in ISO 27001 Annex A; however, it does have to explain which controls it is implementing and why.
The SoA is part of 6.1.3 of the main ISO requirements for ISO 27001, a component of the broader 6.1 requirements, which are focused on actions that address risks and opportunities.
According to 6.1.3 of ISO 27001, an SoA must:
- Identify which controls a company has chosen to deal with the risks it has identified
- Explain why the organization has selected these controls
- State whether the company has implemented the controls
- Explain why the organization has decided to omit certain controls
- Link to the relevant documentation about the implementation for each control the company has implemented—every control should have its own entry
The 14 categories of ISO 27001 controls in Annex A are:
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development, and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
A company that has performed a risk assessment and created a risk assessment report may wonder why it should also have to write an SoA.
A risk assessment report is usually longer than an SoA and includes a large number of identified risks, as many as several thousand for large companies. As such, it’s not really useful for day-to-day operations. An SoA, on the other hand, is short and concise, and easier to present to management and easier to keep up to date.
During the risk treatment phase, an organization identifies the controls that are required because it opted to reduce the level of risks based on its risk appetite. However, in an SoA a company identifies the controls that are necessary for other reasons, such as law, contractual requirements, and other processes.