CHAPTER 13: THE STATEMENT OF APPLICABILITY (SOA)
While the statement of applicability is central to an ISMS and to accredited certification of the ISMS (it is the document from which an auditor will begin the process of confirming whether or not appropriate controls are in place and operative), it can really only be prepared once the risk assessment has been completed and the risk treatment plan documented.
The statement of applicability is a statement as to which of the controls identified in Annex A to ISO27001 are applicable to the organisation, and which are not. It can also contain additional controls selected from other sources.
SoA and external parties
The SoA must be reviewed on a defined, regular basis. It is the document that is used to demonstrate to third parties the degree of security that has been implemented and is usually referred to, with its issue status, in the certificate of compliance issued by third-party certification bodies.
Controls and Annex A
Clause 6.1.3.b requires the organisation to determine all controls necessary to implement the risk treatment plan. Significantly, this is completed before consulting Annex A.
Clause 6.1.3.c of ISO27001 requires the organisation to select appropriate control objectives and controls from those specified in Annex A to match the controls selected in 6.1.3.b. However, it states that additional controls may also be selected from other sources. As part of composing the SoA in 6.1.3.d, the organisation is required to justify the selection (and exclusion) of controls.
ISO27002 provides good practice on the purpose and implementation of each of the controls listed in Annex A. There are, however, some areas in which organisations may need to go further than is specified in ISO27002; the extent to which this may be necessary is driven by the degree to which technology and threats have evolved since the finalisation of ISO27002.
Controls (6.1.3.b)
Controls are the countermeasures for vulnerabilities. The formal ISO27000 definition of a control is a ‘means of managing risk, including policies, procedures, guidelines, practices or organisational structures, which can be of administrative, technical, management, or legal nature. Control is also used as a synonym for safeguard or countermeasure’.1
Apart from knowingly accepting risks that fall within whatever criteria of acceptability the organisation has adopted in its risk treatment plan, or transferring the risk (through contract or insurance), the organisation can decide to implement a control to reduce the risk.
Residual risks
It is not possible or practical to provide total security against every single risk, but it is possible to provide effective security against most risks by controlling them to a level where the residual risk is acceptable to management. The risk owner must formally accept the residual risk (Clause 6.1.3.f).
Risks can and do change, however, so the process of reviewing and assessing risks and controls is an essential, ongoing one (Clause 8.2).
Control objectives
Controls are selected in the light of a control objective. A control objective is a statement of an organisation’s intent to control some part of its processes or assets and what it intends to achieve through application of the control. One control objective may be served by a number of controls.
Annex A of ISO27001 identifies appropriate control objectives and lists controls for each of them, which at a minimum serve those objectives. The organisation must select its control objectives from Annex A in the light of its risk assessment, and then ensure that the controls it chooses to implement (whether from the Annex or from additional sources) will enable it to achieve the identified objective.
Plan for security incidents
It is important that, when considering controls, the likely security incidents that may need to be detected are identified, considered and planned for. The process of selecting individual controls from those listed in the Standard’s Annex A should include consideration of what evidence will be required, and what measurements of effectiveness (6.1.1.e.2) will be made to demonstrate:
• that the control has been implemented and is working effectively
• that each risk has, thereby, been reduced to an acceptable level, as required by Clause 6.1.2.a.1 of the Standard. Controls must be constructed in such a manner that any error, or failure during execution, is capable of prompt detection and that planned corrective action, whether automated or manual, is effective in reducing to an acceptable level the risk of whatever may happen next.
1 ISO/IEC 27000, 2.16.