One of the leading risks to businesses across the globe is cyber incidents. In fact, according to a recent survey among risk management experts, 2022 encountered many cyber incidents that led to disruptions in business continuity and financial losses. It is a direct consequence of the rise in cyber incidences that companies are now choosing to acquire ISO 27001 certification. ISO 27001 certification will allow you to mitigate all risks related to information security, helping you build trust with your customers who are concerned about how you use their information.A Statement of Applicability (SoA) is an indispensable part of achieving ISO 27001 certification. Here is a short guide to make the process as hassle-free as possible.
Table of Contents
What is an ISO 27001 Statement of Applicability?
A statement of applicability is a document that is a mandatory requirement for ISO 27001 certification. Essentially, this document contains all the Annex A controls which your organisation has deemed to be necessary for mitigating information security risks. Additionally, this document also contains a list of all the Annex A controls that were excluded and justifications for the exclusions.
This document is specially created for internal communication and therefore, it is typically only shared within your organisation and with your certification body. As you can imagine, it simplifies the auditing process for the lead auditor, giving a comprehensive overview of all the controls that they can expect within your organisation. Therefore, if you fail to get this document right, you could potentially delay the process of certification. by help of ISO consulting you can be confident to get this document and pass this stage.
How to write your Statement of Applicability?
Customisation is the key to creating an appropriate Statement of Applicability. Here is a breakdown of the steps that you will need:
Understanding the requirements
The first step is understanding the requirements. This can be overwhelming if you are unfamiliar with the requirements of ISO 27001 or are new to information security. Regardless of your current status, begin by understanding what the ISO 27001 certification is trying to say, the types of controls in Annex A, and the purpose of the SoA.
Conducting a risk assessment
Now that you have some sense of the controls in Annex A, it is time to begin the process of writing an ISO 27001 SoA by conducting a risk assessment. The purpose of conducting a risk assessment is to evaluate the information security risks that are unique to your organisation and could pose harm. If you have already conducted a risk assessment, utilise the findings as a starting point to write your SoA.
Identify the appropriate methodology
Ideally, risk assessment should be customised as per the organisation’s unique environment and circumstances. In other words, it is necessary to select a risk assessment methodology that collects information about the particular risks which are affecting your company. Majority of the risk assessments utilise a qualitative approach where judgement is used to categorise risks on a scale of low to high probability.
In a quantitative method, on the other hand, mathematical formulas are utilised to calculate expected monitory loss, if certain risks escalate. Based upon your unique circumstance, you can use either of the two methodologies or combine them. Alternatively, asset-based or threat-based methodologies can also be used.
Look for expertise
If you do not have an individual with in-depth knowledge and expertise on cyber security, it is beneficial to hire a consultant. A competent individual will help you identify threats that could affect your organisation’s ability in achieving its goals. Only with experience can someone suggest you feasible strategies or practical tools to mitigate these threats and determine the best practises of controls that are used by peers in your industry. This is particularly useful if you are a new organisation, or if you are unfamiliar with risk assessments.
Formulate your risk management strategy
At this point in time, it is helpful to define your risk management strategy, identify security risks and decide what you need to implement to manage these risks effectively. Once you have determined all parts of your risk management strategy, you will have a clearer picture of which controls will best suit your organisation and will make the components of your Information Security Management System (ISMS).
Select relevant security controls
Since every company is different, only the controls that are relevant to your unique circumstances would be proactive in providing security to your information assets. This means, for some companies, physical access controls would be beneficial and for others, these controls would be less tangible.
Complete the SoA
At this point, you would be in a position to craft your SoA. Whatever controls that you have chosen to exclude from Annex A, remember to provide an appropriate justification to support this decision. Additionally, you should include the risks that were considered and were categorised to be a high priority. If possible, also include an explanation, why a particular risk was categorised as low, and deemed unfit for inclusion.
Annual updates
Once you have completed this document, remember to regularly review it to ensure that you are still meeting the requirements described in ISO 27001.
Conclusion
Writing a SoA is mostly dependent upon understanding your organisation, to determine the unique risks that might affect you. After you gain an understanding of the standard and unique circumstances, the SoA simply requires you to provide a list of the controls that you have included and a justification for those you have excluded.
