The Statement of Applicability (SoA) is a central document within the framework of the Information Security Management System (ISMS) according to the ISO/IEC 27001 standard. It is used to define and document the applicability of the security measures described in Annex A of the standard for a specific organization.
Purpose of the SoA:
- Customization: The SoA helps organizations to adapt the general security requirements of ISO 27001 to their specific needs and circumstances. It determines which of the 114 controls listed in Annex A of the standard are relevant and which are not.
- Risk-based approach: The selection of controls is based on a risk assessment. Organizations must identify the risks that are relevant to their specific environment and implement appropriate controls to address these risks.
- Documentation and evidence: The SoA serves as evidence that the organization meets the requirements of ISO 27001. It is regularly reviewed and updated to ensure that it remains relevant and effective.
Content of the SoA:
- List of relevant controls: A listing of all controls from Annex A of ISO 27001 that are applicable to the organization.
- Justification for the selection: An explanation of why certain controls were classified as relevant or not relevant based on the risk assessment.
- Implementation status: Information on whether the selected controls have already been implemented, are planned or are not applicable.
The SoA is a living document that should be regularly reviewed and updated to ensure that it continues to meet the organization’s current risks and requirements. It is an integral part of the ISMS and plays a crucial role in certifying and maintaining ISO 27001 compliance.