CHAPTER 14: THE STATEMENT OF APPLICABILITY

Having conducted the risk assessment and taken decisions regarding the treatment of those assessed risks, the results need to be documented. This produces two documents:

The first lists all the controls listed in Annex A of ISO27001 and documents whether or not they have been applied within the ISMS, and also identifies additional controls that have been applied. The second maps the selected treatments (and the measures by which they are to be implemented) to the specific risks they are intended to address and is, in effect, a control implementation plan; we discuss this further in Chapter 15.

Drafting the Statement of Applicability

As the controls are selected, the Statement of Applicability (SoA) can start being drawn up. This SoA (specified in 4.2.1 – h of the standard) is documentation of the decisions reached on each control in light of the risk assessment and is also an explanation or justification of why any controls that are listed in Annex A have not been selected.⁵⁶ This exercise, of reviewing the list of controls and documenting the reasons for excluding any that have not been selected, is a useful cross-check on the control selection process.

The SoA needs to be reviewed on a defined, regular basis and will be one of the first documents that an external auditor will want to see. It is also the document that is used to demonstrate to third parties the degree of security that has been implemented and is referred to, with its issue status, in the certificate of compliance issued by third party certification bodies.

The SoA could adopt the format set out in the example below, in which the wording provided in the standard is repeated with appropriate variations to reflect the actual decisions made by the management steering group and its reasoning. The SoA can also refer to other documents, where these form the basis for any specific decisions recorded in it.

There are different ways of expressing the way in which different controls are applied, some of which are shown below. The SoA should be signed by the owner of the security domain for which it has been drawn up. This document is, for the external certification auditor, key evidence of the steps taken between risk assessment and implementation of appropriate controls; it often contains references to the parts of the ISMS which enforce or implement those controls.

Introduction

This is the Statement of Applicability, as specified in clause 4.2.1.h to ISO27001:2005 (‘the Standard’), for ABC Ltd. It was adopted by the Management Steering Group on [date] and will be reviewed in the light of significant information security incidents and at least annually. It reflects a risk assessment carried out on [date]. Controls are addressed in the same order and using the same numbering as in Annex A of the Standard and this statement explains which controls have been adopted, and identifies those which have not been adopted and sets out the reasons for these decisions.

Statement of Applicability

A.5.1.1 Information Security Policy

ABC Ltd approved an Information Security Policy that conforms to the guidance of ISO27002:2005 on [date] and has published and communicated it to all employees and relevant external parties.

A.6.1.1 Management commitment to information security

ABC Ltd has established an Information Security Steering Group, that reports to the CEO, and which includes representatives from all the key parts of the organisation. This group approved – and is responsible for regular reviews to – the Information Security Policy and is responsible for assigning and/or resourcing security roles within the organisation, and for driving and reviewing implementation across the organisation of the ISMS and any individual initiatives, including information security training and awareness. An external information security adviser has been contracted to provide specialist advice as well as ongoing expertise to the Steering Group.

A.6.1.2 The Steering Group

The Steering Group provides a cross-functional forum within which representatives from key parts of the organisation are able to coordinate implementation of the complete range of information security controls. A separate forum for information security coordination has not been created as it is considered more effective for this to be handled through the management Steering Group.

[Through all controls, e.g.]

A.9.2.1 Equipment siting and protection

In each situation where there is a possibility that sensitive information might be overseen, a risk assessment is carried out and the appropriate controls, as identified in this section, are applied.

[Or]

A.10.8.4 Physical media in transit

This control has not been adopted, as ABC’s physical media never leaves its premises.

This book does not explore each of the controls specified under Annex A, as those are addressed elsewhere.⁵⁷

The Statement of Applicability will also list those additional controls that the organisation has determined, following its risk assessment, are necessary to counter specifically identified risks. These controls should be listed, either within those control sections whose objectives are supported by the additional controls, or within additional control sections added after those contained in ISO27001 Appendix A. These additional controls should adopt the Appendix A numbering scheme. It would also be worth documenting how the additional controls were selected.

It is sometimes argued that an organisation’s Statement of Applicability should not be made available to anyone outside the organisation and, possibly, even subjected to restricted accessibility within it. However, given that the ISO27001 accredited certificate will explicitly recognise the Statement of Applicability document and version number it is reasonable to expect that those looking to examine the degree of assurance your organisation’s ISMS provides will ask for sight of it. Of course, you could insist on them signing a non-disclosure agreement prior to granting them sight of the document. Alternatively, you could classify the document, or at least one version of it, as publicly available, with a different, more comprehensive version containing any sensitive information being given a tighter security classification.