Control of the Month: SoA for ISO 27001
This article is part of our Control of the Month series where we discuss information security controls. This series is brought to you by the Tugboat Logic Labs team. They have a combined 100+ years of information security experience as previous auditors from the Big 4 (Deloitte, EY, PwC and KPMG) and consultants across industries. The goal? To help you easily understand, implement and maintain each control. And even impress your auditor! Today, we’re unpacking the Statement of Applicability for ISO 27001.
Your Statement of Applicability for ISO 27001, otherwise known as your SoA, is a mandatory step for anyone planning on pursuing ISO 27001. It acts like a summary of your ISO 27001 controls. Let’s get into everything you need to know before starting your SoA, straight from the experts.
What Is The Statement Of Applicability in ISO 27001?
Unlike SOC 2, ISO 27001 comes with a standard set of controls. They are the Annex A controls. There’s 114 of them in ISO 27001:2013. ISO 27001 is releasing a 2022 update later this year (ISO 27001:2022). ISO 27002:2022 (the guidance for ISO 27001: 2022) has already been released. Security auditors are still using the 2013 version of ISO 27001, so you should continue to use this version to until ISO 27001:2022 is released.
Your SoA outlines which of the standard 114 Annex A ISO 27001:2013 controls apply to your organization. It is really an overview of the details and reasoning behind your applicable and not applicable controls.
To meet ISO 27001 requirements your SoA must include the following for each control:
- Control title and description
- Whether control is applicable to your business or not
- Justification for applicability or non-applicability
The following are recommended, but not required:
- Whether the control is currently implemented or not
- Risk covered by the specific control
Your SoA cannot skip any of the 114 ISO 27001:2013 controls, even the ones that don’t apply to you.
“If any of the 114 Annex A controls are absent from your SoA you will get a non-conformity (meaning you won’t pass your audit). Your justifications for why each control is applicable or not doesn’t have to be paragraphs long. But, it should show your auditor that you and your senior leadership have thought about your business’s unique risks and how to cover them.”- Jitendra Juthani, Tugboat Logic’s Director of InfoSec Risk and Compliance in our “Intro to ISO 27001” Webinar
What About Mandatory Clauses?
You do not have to include the mandatory clauses (clause 4 – 10) in your SoA. Your SoA only speaks to controls that are not mandatory, the Annex A controls.
Why Is the SoA So Important for Your ISO 27001 Audit?
Generally, the Statement of Applicability is important because it provides the scope of your ISO 27001 project for your auditor.
Also, your auditor will use your SoA to determine whether or not you will be certified for ISO 27001 when it comes time for your actual audit. It will be like your auditor’s audit “cheat sheet.”
The final version of your SoA will be included in your ISO 27001 certification document at the end of your audit.
How to Get Started With Your Statement of Applicability
So, let’s start on this critical document. Your Statement of Applicability fits into the broader task in your ISO 27001 project called scoping.
Some ISO 27001 compliance software providers do scoping in an onboarding interview. Tugboat Logic’s platform includes a simple 15 question questionnaire to scope your ISO 27001 project.
Regardless of how you decide to prepare for your ISO 27001 audit, it’s important to start thinking about questions like:
- Does your physical office have access points such as delivery and loading areas?
- Do you collect any personally identifiable information (PII)?
- Does your company outsource any development activities?
- Do you use any vendors or suppliers to deliver your services or products?
- Does your organization maintain any removable storage media that contains sensitive information?
You can determine the risks that associated with your business based on the answers to questions like these. Along with what controls are needed to mitigate them. For example, Control A.11.1.6, is concerned with delivery and loading areas. If your business doesn’t have a delivery or loading area, then this control is not applicable to you.
5 Preliminary Steps for Anyone Planning on Pursuing ISO 27001
You should know that compliance software will automate the steps below for you. Once you have completed your scoping questionnaire Tugboat Logic’s platform will automatically:
- Generate a list of which 114 Annex A controls are applicable to your business, those that are not and recommendations for written justifications for all controls.
- Monitor your controls’ real-time implementation status, track approvals and connect your readiness project and risk assessment.
Working at this on your own? Here is how you start:
- Create a spreadsheet that contains all of the ISO 27001 controls.
- Mark which controls are applicable vs. not applicable along with justification.
- Identify whether the applicable controls have already been implemented or not. (Expert quick tip: ISO 27001 auditors will look for a description of how each applicable control is implemented and reference to the document, policy, or procedure that is used to mitigate risk as a best practice).
- Get a member of your senior management team to review and approve your SoA (this is mandatory and there must be evidence of this on the SoA document). You now have draft 1 of your SoA, great job!
- If anything changes within the scope of your ISO 27001 project, be sure to update your SoA.
How you keep track of your documentation and manage version control are big priorities of the entire ISO 27001 process. That is why you must note any changes to your SoA and keep all previous versions of the document. Update your SoA at any point, there are no version limitations. But, auditor needs to know which version you want to for your certification process in your audit.
Statement of Applicability vs. Risk Assessment Report
If you have already looked into ISO 27001, you may be asking yourself “isn’t this the same as the risk assessment report?” Or “why is the SoA mandatory when the Risk Assessment Report already defines my necessary controls?”
First, controls that are purely based on risks that need to be mitigated are included in the Risk Assessment Report. However, your SoA identifies controls that are required for other reasons beyond risk.
Some reasons could include the specific laws of your region, contractual requirements with vendors, or other business operations processes. Your SoA includes justifications for controls from other sources beyond risk and Annex A.
The SoA further acts as a concise summary of your controls. It is fairly short and organized with a row for each control. This makes it easy to present to your management or security team and update whenever necessary.
Whereas, the Risk Assessment Report can be very long and more detailed (some organizations may identify over 100 risks). It isn’t very practical for everyday operations or for your ISO 27001 certification document.
Where Can I Get More Guidance on My SoA?
This all may still feel like a lot. But, no need to stress. With a bit of guidance and the proper tools to assist you, creating your SoA and achieving ISO 27001 certification is a breeze. If you still have any questions, our team of experts is always here to help.
If you want to see how automation can simplify and demystify this process for you, grab a free trial of our platform.