What is the statement of applicability for ISO 27001?

When researching the steps you need to take for ISO 27001 certification, you may have stumbled upon the term ‘statement of applicability’. If the terminology of the ISO has got you scratching your head, we’re here to do all the hard work and explain what the statement of applicability is and why it’s important.

What is the statement of applicability for ISO 27001?

Part of the risk assessment and Information Security Management Systems (ISMS – not to be confused with IMSM!) component of ISO 27001, it’s a framework of policies surrounding the legality, physicality and technicality of your cyber security systems. Completion of the statement of applicability (SoA) is a requirement of the ISO: a document you have to develop, prepare and submit as part of your steps toward best practice data management systems.

There are no exact rules for developing your SoA as ISO 27001 recognises that details of cyber security are unique to your business’ requirements, however you must include:

• An explanation of the elements of the security controls you’ve chosen to mitigate risks as well as justification for why you’ve included them. These are decided through performing a gap analysis and risk assessment in the starting stages of your ISO 27001 certification.
• Whether the chosen controls have been implemented. If they haven’t, you must state when you intend to implement them.
• If you’ve excluded any part of ISO 27001’s Annex A – a list of 133 controls and explanations of what they are and what they do – and why. Note: clauses 4-8 are mandatory.

Why is the statement of applicability for ISO 27001 important?

• Your SoA is your roadmap to smooth and effective ISO 27001 certification. It’s a comprehensive document that identifies and categorises elements of ISMS by product and department as well as a host of other criteria.
• In ISO certification, documentation is crucial. Your SoA provides physical proof to your auditor that you’re taking steps to achieve ISO 27001 certification by laying out your company’s legal, statutory, regulator and contractual commitments.
• It flags any controls implemented for reasons other than risk assessment.
• Your SoA assists in the continual improvement of your digital security as it gives you a framework to be able to compare what’s working and what’s not. It will then give you scope in which to update.
• If a data breach occurs, the controls you put into place will be justified. Your compliance will be proven, giving you confidence in your next steps.

Want to find out more about how ISO 27001 can help your business? Download the free guide.