Statement of Applicability ISO 27001

There are 93 controls, separated into four groups: Organisational, People, Physical and Technological. The controls can additionally be viewed using ‘attributes’:

• Control type
• Information security properties
• Cybersecurity concepts
• Operational capabilities
• Security domains

It is worth noting that there is a degree of overlap in many instances, and the controls for one of the groups may equally provide control in another area.

You will need to decide which of these controls are required for your organisation, and give justification for their inclusion or exclusion.

There are a number of controls that would be difficult for any organisation to exclude such as policies for information security, response to information security incidents or information security awareness, education or training.

For those areas that are outside your control, such as in the case where IT services may be outsourced, then the direct responsibility for the implementation lies with the supplier. However, in these instances, the ownership of the risks will still lie with you and, therefore, the oversight of those controls will then come under 5.21 Managing information security in the information and communication technology (ICT) supply chain and 5.22 Monitoring, review and change management of supplier services.

The Statement of Applicability ISO 27001 is underpinned by ISO 27002, which gives detailed guidance for each of the control objectives and controls; we would encourage anyone who is intending to work towards ISO 27001 certification to utilise the guidance in ISO 27002.

We can assist in the development of your risk assessment and risk treatment process, capturing this in your Statement of Applicability, ensuring that you understand the process so that you are able to take ownership.

Our documentation is straightforward and user-friendly, giving clarity and good oversight.