Every collaboration and process in an organization should be rooted in a risk assessment, and when it comes to information security, a Statement of Applicability (SoA) can be a powerful assessment tool.
An SoA is an essential part of the international ISO 27001 standard and serves as the link between risk assessment and risk management in an organization. In practice, it is a statement of what information security level an organization has proactively committed to in a given process and why the respective opt-in and opt-out choices have been made.
In the following article, we will provide you an overview of SoA essentials and its relation to the ISO 27001 standard.
What is a SoA Document in Accordance with ISO 27001
SoA is an abbreviation for "Statement of Applicability", and is an integral and essential part of the ISO 27001 standard for information security. The SoA provides a mandatory list of security controls that are specified in the ISO 27001 standard and are relevant for the organization to implement as part of risk management.
Since the SoA defines the level of information security an organization has chosen for a given process, as well as the opt-ins and opt-outs that have been made, it provides a link between risk assessment and risk management in an organization.
An SoA documents the organization's active approach to the selection and deselection of measures that are to be implemented in the respective process. It supports and documents the choices the organization makes, and the document can be seen as an inventory of the organization's work with information security. It can be seen as an action plan for tangible activities to implement the information security measures.
Although ISO 27001 is the benchmark for the information security measures, an organization is free to add additional policies and control objectives if necessary.
READ ALSO: Key Factors for Successful Implementation of the CSRD
What are the Key Elements of SoA?
Annex A of ISO 27001 consists of a list of security measures that an organization must comply with.
Essentially, to comply with ISO 27001 is having information security in check.
Thereafter, the SoA investigates several controls, such as:
- Identity Access Management
- Operational security
- Communications security
- Information systems
- Supplier relations
- Security and data Breach Management
The SoA is produced following the risk assessment, in which an organization establishes risks that can be accounted for in the SoA.
This makes the SoA an invaluable resource when it comes to information security, since an organization has to actively consider every measure and account for the measures included and excluded in the respective process.
The finalized SoA must also be approved by the organization's management.
SoA and Audits
The continuous monitoring of information security requires measurement and internal auditing. At its most basic level, it's about answering four questions:
- Do we have what we say we have?
- Do we do what we say we do?
- Does the information security system serve its intended purpose?
- Does the information security measures work as intended?
When an organization has to audit an issue, it is necessary to have a solid and tangible framework. This is exactly what an SoA can provide. Since it specifies the requirements of ISO 27001 in policies, control descriptions and procedures, you get a tangible foundation for your audit.
A Software can Lessen the Workload
If you wish to achieve full ISMS (Information Security Management System) compliance, you may need to invest in software that corresponds to your goals.
Here at RISMA, we have developed a complete software for ISO 27001, that allows you to gain an overview of your information security measures through an action plan, so you can optimize and systematize your process. The solution consists of a wide range of tools that make working with information security simple and straightforward.
In the solution you can find a risk catalog, risk matrix visualization, action plans, gap analysis, and data processor audits - and of course the ability to generate a complete SoA document and much more.
Gain an overview of security policies, create specific control descriptions and procedures and report on the progress of action plans in a simple way.
READ ALSO: ESG Reporting: Get Started With Reporting