ISO 27001 is a globally recognized standard for organizations to establish information security management systems. If your organization wants to achieve ISO 27001 compliance and become certified as such, you must prepare a "Statement of Applicability" - a summary of your ISO 27001 measures and one of the key documents you need to become compliant.
Want to know more about ISO 27001? Then read our page on the ISO 27001 certification.
What is a Statement of Applicability?
A Statement of Applicability (AoA) is a document required for ISO 27001 certification. It is a document that lists the Annex A measures that your organization has determined are necessary to mitigate information security risks and the Annex A measures that have been excluded.
This is an internal document that you normally only share with your organization and your certification body. However, it is essential to get it right - failure to do so can delay the certification process.
How do I draft a Statement of Applicability?
Here is an overview of the steps you need to take to put together an AoA for your organization.
1. Understand the requirements
The first step in writing an ISO 27001 Statement of Applicability is to understand the requirements, which can be overwhelming if you are new to information security or ISO 27001.
Nevertheless, understanding these requirements will help ensure that your AoA is accurate and complete. An overview of the requirements of ISO 27001 is available through the official website of ISO. Would you prefer to be briefed on the requirements of ISO 27001 at no cost? Then take contact one of our specialists without obligation.
2. Conduct a risk analysis
To begin writing an ISO 27001 Statement of Applicability, you must conduct a risk assessment. The purpose of this step is to evaluate the information security risks that could cause damage or loss to your organization.
If you have already conducted a risk assessment, use that information as a starting point. If not, start with:
Determining an appropriate method
Your risk assessment should be tailored to your organization's environment and circumstances. In other words, you should choose a risk assessment method that gathers the information you need about the specific risks affecting your business.
Most risk assessments can follow a qualitative approach where judgment is used to categorize risks on a low to high probability scale, or a quantitative approach where mathematical formulas are used to calculate expected monetary losses from particular risks. These methods can also be combined with other methods such as asset-based or threat-based.
Both the ISO 27005 and NIST SP 800-30 standards can provide guidance for determining the most appropriate risk methodology.
Look up support
If you don't have a cybersecurity expert on your team, you can hire a consultant to help identify threats that could affect your organization's ability or success in achieving its goals. They can suggest strategies or tools they have used when working with companies in your industry. With this, they can help establish an effective approach for your organization.
Again, this can be especially helpful if your organization does not have much experience with risk assessments. Input from experienced specialists can help create a more complete risk profile.
Free Compliance Assessment
Achieving ISO 27001 compliance in the short term? Our experts are ready to ensure your security meets the requirements of partners, customers and stakeholders - with a 100% success rate.
3. Define a risk management strategy
This is the point at which you define your risk management strategy, identify security risks and determine what to implement to effectively manage those risks. For example, an organization may decide to implement an encryption solution to secure sensitive data.
Once you have defined all the components of your risk management strategy, you will have a clearer picture of what type(s) of measure(s) are best suited to address each component within your organization's IT system.
4. Selecting the security measures most relevant to your organization
Every organization is different, which means the measures you implement may be unique to your industry or branch.
If you have a large manufacturing company with multiple warehouses where inventory is always being shipped or returned to storage, physical access control can be part of your ISO 27001 certification process.
Other companies, however, will find that they do not face many physical security risks and that a different set of measures is at the top of their priority list.
5. Completing the VvT
You now have all the requirements to prepare your Statement of Applicability.
If you have chosen to exclude a measure from Appendix A, it is important to justify this decision. You should include the risks that were considered and determined not to be a high priority. If possible, explain why a particular risk was deemed inappropriate for inclusion.
You should also document the rationale for including Annex A measures. The reason for including Annex A measures is usually because it has been determined that these measures are necessary to mitigate a specific information security risk.
6. Schedule annual updates
Once you have completed your Statement of Applicability and Risk Assessment, you should keep a close eye on it. You should check the document regularly to ensure that you are still meeting the requirements outlined in the standard.
In addition, be sure to stay abreast of any technological changes that may affect your program and risk treatment plan.