ISO 27001 statement of applicability Template
The statement of applicability is the list of controls that you are implementing in your organisation. It includes the controls you are not implementing along with a justification why not if appropriate. It is based on ANNEX A/ ISO 27002 and can include additional controls such as those imposed by customers.
How to create and use an ISO 27001 statement of applicability Tutorial
In this short tutorial we show you how.
The Statement of Applicability is a document that you’re often, in fact nearly always, asked for. You are going to be asked for it by the auditors, you are going to be asked for it by third parties such as your clients and potential clients. In fact, anybody looking at your information security management system will want to know what the statement of applicability is.
It is the list of information security controls that you are applying into your organisation. You can derive this list in a number of different ways. As a minimum that list is going to include the Annex A Controls, often referred to as ISO 27002. That forms part of the ISO 27001 certification. Of course, there may be additional controls that you’re going to record as well that you are implementing either from other standards or from your direct requests from your customers. These would be captured on your legal and contractual register. As a basic requirement we are going to make a start and we are going to make include the Annex A / ISO 27002 controls and list them.
The list of Annex A / ISO 27002 controls is going to be used many times.
Most people would make a start by buying a copy of the standard. You should always buy a copy of the standard. Then they would work through the standard of ISO 27002, and laboriously copy and paste the controls into a spreadsheet. The standard is not set out in a way to make this easy for you. It will take you a long time if you do it yourself. It can be a massive time sink. I see people always start at this point and then pretty much get to the end of this step, realise the time involved and then look to get help.
So, what we’re going to do, we’re going to take the clause and we’re going to take the title and we’re going to take the control objective directly out of Annex A / ISO 27002 and put that into the spreadsheet. Then we are going to look at the drivers that we have considered in implementing the control. You will want to say that you have implemented it because the standard says you have to, which is factually correct, but is not what the auditor for ISO 27001 certification wants to hear. Whether true or not, you want to be able to say why you implemented the control, so we are going to record for simplicity the main reasons of
- Contract Reason
- Legal Reason
- Risk Reason
- Business Reason
Of course, you can have a combination of these reasons.
It may well be that there is no reason for a particular control, which is perfectly fine. We are still going to record it the Statement of Applicability, but we are going to record that it is not inscope, i.e., it does not apply, and the reason that it does not apply to us. At certification the auditor wants to see why you think a particular control doesn’t apply to you. It is rare that controls don’t apply to people as it’s an international standard and it covers across the board, but it does happen that controls don’t apply. Consider if you do not secure software development then that section does not apply. If you are fully remote, then many of the controls on physical security would not apply. You just record and state the reason. Now you don’t have to worry about them.
The applicability of controls needs to be reviewed regularly, well at least once a year and clearly before you take the certification audit. You are therefore going record on here the date that each control was last assessed when you last did a review of whether or not that control was in scope or was not in scope. For good document mark-up you will have version control on your document that shows when the main review took place. Anyone looking is going to come and look and say – I want to see a date in here that is some point within the last 12 months. This shows this document is fresh and you’ve recently gone through that review. Now a top tip is that you would always have minutes for meetings where you had recorded that this had been signed off and approved by the management review meeting, so you want to tie those two together.
Statement of Applicability FAQ
It is the document that lists the ISO 27001 Annex A business controls and records if they apply to you or not. It can also record any additional controls that your business has implemented, for example those imposed by customers. It states why the control applies to your business and if it does not apply, why it does not apply.
List out the ISO 27001 Annex Controls in a table. Add columns for whether it applies to you or not. Add columns for why it applies such as business, legal, risk, customer. Add a column for why it doesn’t apply for those controls that do not that is used to explain why it does not apply. Include columns for last reviewed date and next review date. Consider including a brief description of the control you have implemented to satisfy the requirement. You can view in this short tutorial.
It is another name for the statement of applicability document.
An statement of applicability document template can be downloaded here: https://hightable.io/product/statement-of-applicability/
In our experience a spreadsheet works best, so a Statement of Applicability xls.
Yes. The it is a requirement of ISO 27001 certification. We need to understand what controls the business has chosen to implement as part of its information security management framework.