ISMS Statement of Applicability

by Elina D

What is an ISMS Statement of Applicability?

An ISMS Statement of Applicability (SOA) is a document that describes the current security posture of an organisation's information security management system (ISMS). The SOA is used to communicate the status of the ISMS to interested parties, such as senior management, clients, and auditors. It is important to note that the SOA is not a static document; it should be updated as the ISMS evolves. 

An ISMS SOA typically contains the following information:

  • A description of the organisation's security posture
  • The scope of the ISMS
  • The current state of the ISMS
  • The ISMS objectives
  • Key security controls in place
  • gaps in the ISMS
  • Plans for remediation of identified gaps.
    Statement of Applicability

    Explain The importance of the ISO 27001 Statement of Applicability in detail?

    The ISO 27001 statement of applicability is a document that specifies which security controls from the ISO 27001 standard are relevant and applicable to an organisation's specific circumstances. This document is important because it helps organisations to prioritise their security efforts and choose the most appropriate security controls for their needs. Additionally, the statement of applicability can be used to demonstrate to auditors and other interested parties that an organisation is actively managing its security risks. The ISO 27001 standard contains a list of 114 security controls, which are divided into 14 categories.

    These categories cover different aspects of information security, including access control, asset management, business continuity, and more. The statement of applicability should identify which of these controls are relevant to the organisation and explain why they have been selected. Additionally, the statement should detail how the controls will be implemented and monitored.
    When creating a statement of applicability, organisations should first perform a risk assessment to identify which security risks are most relevant to their operations. Once the risks have been identified, the organisation can then determine which security controls are best suited to mitigating those risks. The statement of applicability should be reviewed and updated on a regular basis as new risks are identified and new security controls are implemented.

    The ISO 27001 Statement of Applicability mandates several specific actions to be undertaken in order to establish, document and maintain an ISMS. The actions required are as follows:

    1. Define the scope of the ISMS
    2. Select the appropriate controls from Annex A
    3. Build, document and implement the ISMS
    4. Operational the ISMS
    5. Monitor, review and continually improve the ISMS.
      SOP

      What information needs to be included in the Statement of Applicability? 

      The Statement of Applicability (SoA) is a key document in an information security management system (ISMS), as it provides evidence that the ISMS is appropriate for the organisation's needs and objectives. The SoA should therefore be comprehensive and well-thought-out, covering all aspects of the ISMS.

      In general, the SoA should include the following information:

      • The scope of the ISMS, including a description of the system boundaries
      • The organisation's information security risks and how they have been assessed
      • The security controls that have been selected to mitigate the risks, and how they are implemented
      • The extent to which the selected controls meet the organisation's security requirements
      • The monitoring and review arrangements for the ISMS
      • The SoA should be reviewed and updated on a regular basis, in line with changes to the organisation's information security risks, requirements, and controls.

      How do you create the Statement of Applicability? 

      The Statement of Applicability (SOA) is a document that is required for all organisations who are aiming to achieve ISO 27001 certification. The SOA is a living document that should be reviewed and updated on a regular basis. It should be created by the organisation's lead implementer and approved by the management team.
      The SOA should include the following sections:
      Introduction

      1. Scope
      2. Context
      3. Risk Assessment
      4. Control Selection
      5. Implementation and Effectiveness
      6. Management Review

      Each section will be explained in more detail below.

      1. Introduction

      The introduction should provide an overview of the organisation and the purpose of the SOA. It should also identify the lead implementer and the date that the SOA was created.

      2. Scope 

      The scope should identify the bounds of the ISO 27001 implementation project. This could include a list of locations, systems, or processes that are in scope for the project. The scope should be reviewed and updated as necessary throughout the duration of the project.

      3. Context 

      The context section should describe the organisation's environment and how it relates to ISO 27001. This could include a description of the organisation's business processes, information security controls, and risk management framework.

      4. Risk Assessment

      The risk assessment should document the organisational risks that have been identified during the ISO 27001 implementation project. These risks should be prioritised based on their likelihood and impact if they were to materialise. The risk assessment should be reviewed and updated on a regular basis.

      5. Control Selection 

      Control selection is an important part of designing a Security Operations and Administration (SOA) in an Information Security Management System (ISMS). The objective of control selection is to identify the security controls that are appropriate for the organisation and that will effectively mitigate the risks to the information assets. There are several factors that need to be considered when selecting security controls, including the organisational context, the security objectives, and the risks.

      6. Implementation and Effectiveness

      In order to ensure the confidentiality, integrity and availability of information, ISO/IEC 27001:2013 introduced the concepts of implementation and effectiveness. Implementation is the process of putting the ISMS into operation. Effectiveness is the extent to which the ISMS controls are operating as intended and are suitable for the purposes for which they were designed

      7. Management Review 

      The Management Review is a key component of an organisation's ISMS, as it provides a systematic review of the suitability, adequacy, and effectiveness of the ISMS. The review should be conducted at least annually, and more frequently if significant changes have occurred within the organisation. The review should ensure that the ISMS is appropriate for the organisation's current and future risk environment, and that it is continually improving.

      The Management Review should consider all aspects of the ISMS, including:

      • The adequacy and effectiveness of the organisational structure for information security.
      • The assignment of responsibility for information security throughout the organisation.
      • The adequacy and effectiveness of resources devoted to information security.
      • The adequacy and appropriateness of information security policies, objectives, procedures, controls, and plans.
      • Identification of any gaps in the coverage of information security policies, objectives, procedures, controls, and plans.
      • Evaluation of new or revised information security risks, and the adequacy of responses to those risks.
      • Evaluation of compliance with information security policies, objectives, procedures, controls, and plans.
      • Any cases where non-compliance with information security policies, objectives, procedures, controls or plans has occurred.
      • Recommendations for improvement.