ISO 27001: How to Write a Statement of Applicability
Cyber incidents are the leading risk to businesses globally for 2022, according to a recent survey among risk management experts. This includes things such as cybercrime, IT failure or outages, data breaches, and fines and penalties.
All of this isn’t great news for your data or for your business.
For these and many reasons, companies are choosing to pursue ISO 27001 certification. ISO 27001 can help you mitigate risks and build trust with customers who have growing concerns about their information.
A major component in pursuing ISO 27001 certification is your Statement of Applicability (SoA). If you’re not sure where to begin, consider this post your quick start guide to make the process as stress-free as possible.
What’s an ISO 27001 Statement of Applicability?
A Statement of Applicability is a document required for ISO 27001 certification. It’s a document that states the Annex A controls that your organization determined to be necessary for mitigating information security risk and the Annex A controls that were excluded.
This is an internal document that you typically only share with your organization and your certification body. That said, it’s essential to get it right—failing to do so could slow down the process of certification.
How to Create Your Statement of Applicability
Here’s a breakdown of the steps you’ll need to take to put together an SoA for your organization.
Understand the Requirements
The first step to writing an ISO 27001 Statement of Applicability is understanding the requirements which can be overwhelming if you’re new to information security or ISO 27001.
Nevertheless, understanding these requirements will help ensure that your SoA is accurate and complete. For a high-level breakdown of ISO 27001 requirements, check out this guide.
Conduct a Risk Assessment
To begin the process of writing an ISO 27001 Statement of Applicability, you will need to conduct a risk assessment. The purpose of this step is to evaluate the information security risks that could pose harm or loss to your organization.
If you have already completed a risk assessment, use that information as a starting point.
If not, start by:
Determining the Appropriate Methodology
Your risk assessment should be tailored to your organization’s environment and circumstances. In other words, you should choose a risk assessment methodology that gathers the information you need about the particular risks affecting your company.
Most risk assessments can follow a qualitative approach which uses judgment to categorize risks on a low to high scale of probability, or quantitative, which uses mathematical formulas to calculate expected monetary losses of certain risks. These methodologies can also be combined with other methods like asset-based or threat-based.
Both ISO 27005 and NIST SP 800-30 standards can provide guidance for determining the most appropriate risk methodology.
Looking for Guidance
If you don’t have a cybersecurity expert on your team, you could hire a consultant to help identify threats that could affect your organization’s ability or success in achieving its goals. They may suggest strategies or tools they’ve used when working with companies in your industry which can help form your own plan.
Again, this can be particularly useful if you’re a new organization or don’t have much experience with risk assessments. Getting input from others can help create a more complete risk profile.
Determine Your Risk Management Strategy
This is the point where you define your risk management strategy, identify security risks, and what you need to implement to manage those risks effectively. For example, an organization may decide to implement an encryption solution for securing sensitive data.
Once you define all parts of your risk management strategy, you will have a clearer picture of what type(s) of controls will be best suited for addressing each component within your organization’s IT system.
Select the Security Controls Most Relevant to Your Organization
Every company is different, and that means the controls you implement may be unique to your organization or industry.
If you run a large manufacturing business with multiple warehouses where inventory is always being shipped out or returned to storage, then physical access control could be part of your ISO 27001 certification process.
However, other companies may find that they don’t face many physical security risks and that another set of controls are at the top of their priority list.
Complete the SoA
At this point, you have everything you need to put your Statement of Applicability together.
If you have chosen to exclude an Annex A control, it’s important to provide justification for this decision. You should include the risks that were considered and determined not to be a high priority. If possible, explain why a particular risk was deemed unfit for inclusion.
You will also need to document the reason for including Annex A controls. Typically, the reason for including Annex A controls is because the control was determined to be necessary for mitigating a specific information security risk.
Plan Annual Updates
Once you’ve completed your Statement of Applicability and risk assessment, you’ll need to keep a close eye on it. You should regularly review the document to ensure that you’re still meeting the requirements described in the standard.
Additionally, be sure to stay up to date with any technology changes that may impact your program and risk treatment plan.
Want to put ISO 27001 on autopilot?
Drata streamlines the ISO 27001 certification process so you can focus on growing your business securely. Schedule a demo to see what our solution can do for you.
2023 Compliance Trends Report
Drata surveyed 300 established and enterprise organizations to tap the pulse of the state of risk and compliance. In doing so, we identified related trends, perceptions, and how compliance impacts the business. This year, the primary takeaway is that a mature compliance program will accelerate a business, not slow it down.