What is Statement Of Applicability? The SoA is actually a mandatory requirement of ISO 27001 standard. Through this you demonstrate applicability of all the controls in your organization. Creating SOA needs help of specialists in information security field.
The Statement of Applicability (SoA) forms a fundamental part of your information security management system (ISMS). The SoA is one of the most important documents you’ll need to develop for ISO 27001:2013 certification.
This document outlines the controls selected by an organization to address information security risks identified during the risk assessment process. It essentially serves as a roadmap, indicating which controls from the ISO/IEC 27001 standard (or other relevant standards) are applicable to the organization, and how they are implemented.
The SoA is a dynamic document that may evolve over time as the organization’s risk profile changes or as new information security threats and vulnerabilities emerge. It is typically updated periodically and reviewed as part of the overall ISMS maintenance process.
Simply put, in its quest to protect valuable information assets and manage the information processing facilities, the SoA states what ISO 27001 controls and policies are being applied by the organization. It benchmarks against the Annex A control set in the ISO 27001 standard (described at the back of that ISO standards document as reference control objectives and controls).
is found in 6.1.3 of the main requirements for ISO 27001, which is part of the broader 6.1, focused on actions to address risks and opportunities.
Through SOA, an organization can demonstrate their capability towards implementation of ISO controls.
The SoA is therefore an integral part of the mandatory ISO 27001 documentation that needs to be presented to an external auditor when the ISMS is undergoing an independent audit e.g. by a Globus audit certification body.
If you need any help in SOA Creation, please connect with our professionals.