The Statement of Applicability (SoA)

​

Implementing a Statement of Applicability (SoA)

 

The SoA is a document that outlines which information security controls an organisation has selected to mitigate identified risks and why these controls were chosen. It also justifies any exclusions of controls from Annex A of the standard. Here’s a step-by-step guide to help you through the process.

​

Step 1: Understand the Context of Your Organization

Before you start drafting your SoA, it's essential to understand the context of your organization.

 

This requires you:

• Determine factors that could impact your information security management system (ISMS), such as market conditions, regulatory requirements, and technological changes.

• Identify stakeholders (e.g., customers, regulators, suppliers) and their information security expectations.

• There's guidance on exploring the context and documenting scope here.

​

Step 2: Define the Scope of Your ISMS

Next, you need to determine the boundaries and applicability of your ISMS.

 

This should include:

• Identifying which parts of the organisation (business units, locations, etc) are included in the ISMS.

• Determining which information assets will be protected.

• Processes and Technologies: Define the processes and technologies involved in the ISMS.

​

Step 3: Conduct a Risk Assessment

Perform a thorough risk assessment to identify potential threats and vulnerabilities to your information assets

 

This includes:

• Establishing Risk Criteria: Define what constitutes an acceptable level of risk.

• Identifying Risks: List all potential risks to information security.

• Analyzing Risks: Assess the impact and likelihood of each risk.

• Evaluating Risks: Prioritize the risks based on their impact and likelihood.

​

Step 4: Select Controls from Annex A

Select appropriate controls from Annex A of ISO 27001:2022 based on the risk assessment.

 

Annex A provides a comprehensive list of security controls categorized into four groups:

1. Organisational Controls

2. People Controls

3. Physical Controls

4. Technological Controls

​

Step 5: Justify Control Selections

For each control selected, provide a justification in the SoA.

This justification should explain:

• Why the Control is Necessary - Describe how the control mitigates identified risks.

• Implementation Status - Indicate whether the control is already implemented, in progress, or planned.

• Exclusions - If any Annex A controls are not selected, provide a rationale for their exclusion.

​​​

Step 6: Review and Approval

Once drafted, the SoA should be reviewed and approved by relevant stakeholders, including senior management. Ensure the document is clear, concise, and accurately reflects the organisation’s approach to information security.​

​

Step 8: Maintain and Update the SoA

The SoA is not a static document. It should be reviewed and updated regularly to reflect changes in:

• Risk environments, such as new threats or vulnerabilities.

• Business processes.

• Updates in technology that could impact information security.

​

Conclusion

Creating a Statement of Applicability is a systematic process that requires a deep understanding of your organisation's context, a thorough risk assessment, and careful selection of controls.

​

​