The Statement of Applicability

ISO/IEC 27001:2013 and your SoA







The journey that sees an organisation gaining its Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) must include the creation of a statement of the applicable controls (or measures) used within the scope of the ISMS.

The Statement of Applicability (SoA) is a mandatory requirement, and is a 'statement' of the controls (or measures) you have implemented in response to the options you have selected to treat a particular risk.

The simple diagram above (and yes it is simple) shows that the SoA is an 'output' document!

I am going to say that the following is all theory, but only because it causes so much angst.

  • Having identified within the scope of your ISMS the source; the cause; the event; and consequence of a risk, and found through analysis and evaluation that it is unacceptable, the business makes the decision to 'treat' the risk in some fashion.
    • It doesn't matter for the moment what area of the information and cyber security space this risk presents itself, it is the response process that is of concern here,
  • The business may decide that given its context, and the scope of the ISMS (and business need) that the most appropriate response will be to modify the level of risk by implementing a control (other options are available of course).
  • The process will be planned (including 'change'), and its progress to implementation tracked within the risk treatment plan (RTP). 
  • All details related to 'this' risk will find their way onto the risk register.
  • At any given point, the statement detailing the status of all controls within scope can be generated at the touch of a button (key stroke).   
  • Given this statement and the RTP a 3rd party (Certifying Body) auditor will sample a number of the stated controls, and track-back to the 'decision making' processes. They are checking to see if the management system is working as required by the standard. 
    • If it is stated that a control has been implemented but in reality it hasn't, then the management system is not working.
  • Irrespective of any 3rd party audit, the senior information risk owner for the business, whether known as the SIRO or perhaps the CFO, CISO, CIO, CTO etc, will be in a position to sign-off on the statement as it will show all applicable 'internal' controls, implemented or being implemented, that address the information and cyber security risk. 
Why the angst?

  • The lack of an effective risk process which results in;
    • the application of controls (measures) as a knee-jerk reaction rather than a methodical approach to managing information and cyber security risk,
    • the fudging of a statement of applicability based upon no decision making process save for checking the wind direction,
  • Believing that Annex A to ISO/IEC 27001:2013 (27K1:13) is the only set of controls that can be used;
    • It is not mandatory,
    • They are out of date,
    • They are only a reference to ensure that no 'necessary controls have been overlooked'. Other control catalogues/lists/references can (and in most cases, should) be used. Indeed, you can create your own if there is a need,
    • Sector based extensions to Annex A can be used, for example; if the business is a Cloud Service Provider, a Broker, a Peer or indeed a Consumer of cloud services. 
There are some rules around the SoA for 27K1:13;
  • It should contain all necessary controls,
  • It conforms to the business's specification of its necessary controls,
  • If a variation on an Annex A control is used, and excludes that actual Annex A control entirely then the business must provide the rationale for exclusion,
  • The SoA must be entitled, the Statement of Applicability. With the exception of the SoA, 27K1:13 does not give names to documents.

On a final note regarding Annex A, and to quote ISO/IEC 27007:2020 (Guidelines for information security management systems auditing):
Necessary controls can be ISO/IEC 27001:2013, Annex A controls, but they are not mandatory. They can be controls taken from other standards (e.g. ISO/IEC 27017) or other sources, or they can have been specially designed by the organization.

If you are looking for further guidance, please get in touch

KanSecurity Ltd (NL)








Popular posts from this blog

Risk and micro, small business

Risk and Certification

Sleepless nights, and business owners