ISO 27001<\/a> certification, you may have stumbled upon the term \u2018statement of applicability\u2019. If the terminology of the ISO has got you scratching your head, we\u2019re here to do all the hard work and explain what the statement of applicability is and why it\u2019s important.<\/p>\nWhat is the statement of applicability for ISO 27001?<\/h3>\n
Part of the risk assessment and Information Security Management Systems (ISMS – not to be confused with IMSM!) component of ISO 27001, it\u2019s a framework of policies surrounding the legality, physicality and technicality of your cyber security systems. Completion of the statement of applicability (SoA) is a requirement of the ISO: a document you have to develop, prepare and submit as part of your steps toward best practice data management systems.<\/p>\n
There are no exact rules for developing your SoA as ISO 27001 recognises that details of cyber security are unique to your business\u2019 requirements, however you must include:<\/p>\n
\n- An explanation of the elements of the security controls you\u2019ve chosen to mitigate risks as well as justification for why you\u2019ve included them. These are decided through performing a gap analysis and risk assessment in the starting stages of your ISO 27001 certification.<\/li>\n
- Whether the chosen controls have been implemented. If they haven\u2019t, you must state when you intend to implement them.<\/li>\n
- If you\u2019ve excluded any part of ISO 27001\u2019s Annex A – a list of 133 controls and explanations of what they are and what they do – and why. Note: clauses 4-8 are mandatory.<\/li>\n<\/ul>\n
Why is the statement of applicability for ISO 27001 important?<\/h3>\n\n- Your SoA is your roadmap to smooth and effective ISO 27001 certification. It\u2019s a comprehensive document that identifies and categorises elements of ISMS by product and department as well as a host of other criteria.<\/li>\n
- In ISO certification, documentation is crucial. Your SoA provides physical proof to your auditor that you\u2019re taking steps to achieve ISO 27001 certification by laying out your company\u2019s legal, statutory, regulator and contractual commitments.<\/li>\n
- It flags any controls implemented for reasons other than risk assessment.<\/li>\n
- Your SoA assists in the continual improvement of your digital security as it gives you a framework to be able to compare what\u2019s working and what\u2019s not. It will then give you scope in which to update.<\/li>\n
- If a data breach occurs, the controls you put into place will be justified. Your compliance will be proven, giving you confidence in your next steps.<\/li>\n<\/ul>\n
Want to find out more about how ISO 27001 can help your business? Download the free guide.<\/h3>\n
<\/a><\/span>