Depending on the security framework you use to setup your security, you might need a link between de risk assessment and risk treatment. An example of such framework is the ISO7001 where you need to build an Information Security Management System (ISMS) based upon Annex A (also known of ISO27002). The Statement of Applicability (SoA) will be very useful in that case. The SoA is a simple document which contains all controls within your security framework where you point out which once’s are in scope and which are out of scope.
The SoA can be used during audits so the auditor knows which risks your organization has accepted and which controls need to be audited. The SoA is also often used to provide (potential) customers with insight into the scope of the security within an organization and provides more detailed information on the scope than just an certificate from an auditor. An example of a control that is not always needed, is ‘Working in secure areas’ control. This control is typically used when you have your own data center or server room. If your organization is operating 100% in the cloud, you probably do not require any measures on this control.
How
Before you start filling in the template below, you will need to go through all the controls in your framework and perform a risk assessment on each of them. When using the ISO27001 framework, you will have to go through all the controls of Annex A (ISO27002). Note that there is a new version of this Annex A released in 2022 and that the older 2013 version can not be used anymore when you are going for the certification.
For building your SoA, you can use a spreadsheet program or an application specifically for risk management purposes. The outcome of the risk assessment determines the input for your SoA. The justification of the stated outcome needs to be added. This does not mean you’ll have to describe all the measures you have taken to mitigate the risks, but why you have determined that the control requires mitigation. An example justification could be that a certain control is required according to a specific regulatory body.
When you have created your SoA you need to review it periodically, just like all the other policy documents and as described in your Information Security Policy. This review is required so you know that the SoA is up-to-date and that the risks are still current and applicable for your organization.
Risks
When setting up or reviewing your Statement of Applicability (SoA) it is important that your risk assessments are performed correctly and that management supports its outcome. When this is not the case, you will run into problems when implementing the measures you think are needed. As the SoA is most likely shared with your customers, it can also give them a wrong idea of your security setup, which might lead to disappointing customers or even lawsuits.
Example Policy Content
An example Statement of Applicability according to the ISO27002:2022 version can be downloaded below. Note that this is just an example document and specific adjustment might be needed before you can use it within your own organization.
Related links
ISACA: The benefits of the SoA in ISMS projects
Gartner on Integrated Risk Management Solutions
ISO/IEC 27001 Information Security Management