![ISO QSL logo - PNG.png]](https://knowledge.isoqsltd.com/hs-fs/hubfs/ISO%20QSL%20logo%20%20-%20PNG.png?height=40&name=ISO%20QSL%20logo%20%20-%20PNG.png){kind=small}
Simplifying the Statement of Applicability
Get our top tips for completing the Statement of Applicability (SoA).
What is the Statement of Applicability
The Statement of Applicability (SoA) is a document that details which controls you have in place to manage the risks to the security of your confidential or sensitive information. It is the one document that contains every element you employ to achieve this and is the most important document in your compliance.
The guidelines for the controls you choose are set out in ISO 27002:2022 Information Security, Cybersecurity and Privacy Protection – Information Controls. This sub-standard feeds directly into the SoA and provides detailed information on each control, how it works, and how to implement it.
Put simply, your SoA is a detailed risk assessment. It should document any additional controls to your information security and reasons for their selection, as well as any that were excluded and why.
Why is it Useful?
The information security management system focuses on continual improvement, and the SoA will help you achieve this. It will help you understand how and why you are managing risks and ensure all necessary controls are captured, including ones you might not have considered. It will also allow you to review whether a control is effective and if more suitable options are available.
This document should be the main focal point of your internal audits and will be used by your assessor during your audit.
Completing the Statement of Applicability
Historically, the SoA was seen as a scary document comprising 114 controls over 13 clauses. However, following its update in 2022, this has now been reduced down to 93 controls over 4 clauses:
- Clause 5: Organisational Controls – your policies, general processes etc.
- Clause 6: People Controls – what you need to do to ensure your team is secure, user access control etc.
- Clause 7: Physical Controls – your physical security e.g. the access to your premises.
- Clause 8: Technological Controls – firewalls, antivirus malware etc.
You can find a template for the SoA here. This should reflect your management system and the applicable controls required to manage your information assets. This template includes instructions and guidance to support you with its completion.
Once complete, your SoA will be subject to an annual review and shouldn’t require any major reconstruction unless your business changes substantially. With perseverance, you will greatly increase your personal development, contribute to information security compliance and conformity, and even save your organisation thousands of pounds!
Our Top Tips for Smooth Completion
- Break its completion down into ‘bite-sized chunks’.
- Draw on the knowledge of personnel in relevant areas of the business e.g. HR, IT, senior management etc.
- Have a copy of the ISO 27001 standard to hand. Let your account manager know if you would like to purchase a copy.
- View documents within the risk assessment process as interrelated (inventory of information assets, risk assessment of those assets, SoA and the risk treatment plan).