Likewise, you can review why you chose to accept risks and determine whether the threat landscape has increased significantly enough to warrant a change.Īn SoA also has significant regulatory consequences. You can assess whether the controls you’ve implemented are working as intended and assess whether other controls might be more suitable.
This is especially important when ensuring continual improvement within your organisation. You can refer to it to understand how and why your organisation is tackling certain risks and accepting others. The SoA is a useful document for everyday operational use because it provides comprehensive coverage of your organisation’s information security measures. Why is the Statement of Applicability important? You’ll therefore benefit from having copies of both standards when creating your SoA. ISO 27002 provides detailed information on each control, explaining how each one works and providing advice on how to implement it. It’s a supplementary standard in the ISO 27000 series, providing a detailed overview of information security controls.
Still, you’ll probably need something more in-depth when it comes to the implementation process. These processes help organisations identify the risks they face, which they can match to the relevant control.Īnnex A provides a useful outline of each control. They should determine which controls apply to them by conducting an ISO 27001 gap analysis and risk assessment. Organisations are only required to implement controls that are appropriate to the risks they face. Explain why any controls have been omitted.Įvery control should have its own entry, and in cases where the control has been selected, the SoA should link to relevant documentation about its implementation.State whether or not the organisation has implemented the controls and.Identify which controls an organisation has selected to tackle identified risks.What is a Statement of Applicability?Īn SoA summarises your organisation’s position on each of the 114 information security controls outlined in Annex A of ISO 27001.Ĭlause 6.1.3 of the Standard states an SoA must: In this blog, we explain what an SoA is, why it’s important and how to produce one. Documentation is crucial for any ISO 27001 implementation project, and the SoA (Statement of Applicability) is one of the most important documents you need to complete.
0 kommentar(er)
