How to Draft the Statement of Applicability

Creating a Statement of Applicability (SoA) is a crucial step in implementing an Information Security Management System (ISMS) compliant with ISO 27001. Your SoA document not only outlines the security controls that your organisation has decided to implement but also provides justification for those it has excluded.

Before you draft your SoA, take a look at the steps below.

Before you begin drafting the SoA, familiarise yourself with Annex A of ISO 27001, which contains a list of 93 security controls, grouped into 4 themes:

Please note that this is different to the 2013 iteration of the Standard. That version of Annex A contained 114 controls divided into 14 domains.

Understanding these themes and controls is crucial as they cover various aspects of information security management, including access control, cryptography, physical security, and compliance.

The foundation of an effective SoA is a thorough risk assessment. Identify potential security threats and vulnerabilities that could affect your organisation. Assess the likelihood and impact of these risks materialising. This assessment will guide which controls are necessary and which are not.

Based on the risk assessment, determine which controls from Annex A are relevant to mitigating your identified risks. Not all controls will be applicable; select only those that correspond to real and measured risks.

For each control selected, document the rationale behind its inclusion. This justification should link directly to the findings of your risk assessment. Conversely, for each control that is not selected, provide a clear explanation supported by your risk assessment results, demonstrating why it is unnecessary or irrelevant.

For each control you implement, describe how it is being applied within your organization. This documentation should include details about the processes, tools, and responsibilities assigned to manage and maintain the control. This level of detail helps in audit situations to demonstrate the control’s effectiveness.

The SoA should be reviewed by key stakeholders within your organization. This includes heads of relevant departments, IT security teams, and senior management. Their insights can help refine the SoA, ensuring it comprehensively covers all aspects of your organisation's information security.

Ensure that the SoA is fully integrated with other elements of your ISMS, such as policies, procedures, and the risk treatment plan. This integration ensures that all security efforts are aligned and working towards the same objectives.

The SoA is not a static document; it should be regularly reviewed and updated to reflect new security threats, changes in business operations, or updates in legal and regulatory requirements. This continual updating is part of maintaining ISO 27001 compliance.

Drafting a Statement of Applicability is a detailed and dynamic process that requires careful consideration of your organisation’s risk environment and security needs. By following these steps, you can ensure that your SoA not only complies with ISO 27001 but also effectively supports your overall security strategy. This document will serve as a cornerstone for your ISMS, guiding ongoing security management and improvement.