Aiming for an ISO 27001 certification for your organization is not an easy feat. Not only are there numerous requirements, but often, this effort requires the cooperation of multiple units outside of your information security department.
To avoid being overwhelmed by all the requirements, it is important to establish a baseline first. This is where the ISO 27001 Statement of Applicability (SoA) comes in. This is one of the first of many documents that an ISO auditor would request from your organization during a certification audit. It contains 93 controls covering organizational, people, physical and technological controls. It is also known as the “Annex A Controls” since these are found at Annex A of the ISO 27001 document.
Looking at the control descriptions, you would expect that accomplishing this would require the cooperation of multiple units such as legal, procurement, compliance, data privacy, etc. Overall, it really is an organizational effort. To implement these controls, it is best to hire or consult with an information security professional who understands the requirements of each of the controls.
For each control in the SoA, your organization is asked, "is this information security control applicable to your organization?" By applicable, we mean that based on how the organization operates, the control must be implemented to secure the organization's information. For example, if your organization implements a hybrid working schedule, then the control on 'Remote Work' should be tagged as applicable because based on your hybrid arrangement, you need controls to protect information used during remote work. On the other hand, if your organization absolutely prohibits outsourcing, then all controls related to outsourcing can be tagged as 'Not Applicable'. Naturally, you would have to provide justification for all controls, whether they are applicable or not. In cases of controls tagged as 'Not Applicable', you should be prepared to have evidence for your justification because an auditor is more alert towards controls tagged as such and would often verify if the ‘Not Applicable’ tagging is valid.
Ideally, the SoA should be accomplished at the start of any compliance or certification effort. As earlier mentioned, it establishes the baseline of how mature your organization is in terms of implemented security controls. Not only is it a baseline, but it also guides the auditor on whether to recommend certification or not. Afterall, if at least one applicable control is not implemented, then the auditor might not recommend certification.
All applicable controls must have evidence of implementation, and that is normally the responsibility of the control owner. The control owner is the one responsible for managing the control. He is not necessarily a member of senior management or the one who approves of budget-related items. He is, however, the one knowledgeable on how the control is implemented in the organization. For example, for the control on information security awareness, education and training, the control might be the organization’s Awareness Lead. As an alternative, it is also possible for the Chief Information Security Officer to be the control owner and for him to delegate the control management to the awareness lead. This makes senior management more involved in the ISO 27001 efforts. Overall, it’s a decision of the organization on who to assign as the control owner.
The implementation description describes how the control is implemented in the organization, and this should be backed by evidence to be provided by the control owner. The sufficiency of the evidence would depend on the auditor. From audit experience, auditors would start with documents, especially policies. Then, they would review if the policies sufficiently covered the requirements of the control. From there, they would review how the items in the policy are implemented in the organization. When it comes to document review, it is generally important to include timestamps and revision and review histories in documents as much as possible. Auditors would employ other methods of examination throughout the certification audit, whichever is applicable to the item being examined: interviews, walkthrough, sampling etc. You can’t really prepare 100% for the audit because any crack can slip through: a statement from an employee, observed practices, etc.
To best prepare, organizations prepare for the audit through conducting pre-audit activities like practice interviews, reviewing documents and processes, and having the most experienced person in the team as the audit point person. Some organizations also have a regular internal audit exercise, and this can be considered as a pre-audit activity. At least in the internal audit, any gaps are discovered and addressed before a certification audit.
The ISO 27001 Statement of Applicability product contains both an Excel template for the Statement of Applicability and a PowerBI dashboard. The Excel file serves as the data source for the PowerBI dashboard.
Another product, the ISO 27001 Gap Analysis, is a bit different from the SoA. In the gap analysis product, the controls were extracted from the main body of the ISO 27001 document and is thus more detailed, while the SoA only contains the Annex A controls. The controls in both products don’t necessarily translate one-to-one. If you’re looking to do a certification audit, it’s best to start with the SoA product. If you’re just looking for compliance, you can go for either the gap analysis document or the SoA document.
Product Page: ISO 27001:2022 Statement of Applicability Template
Related Product Page: ISO 27001:2022 Gap Analysis Template