The Statement of Applicability (SoA) is the area that causes most consternation and yet, by following simple steps, this will be the guide to the control of your risks, and need not be a complicated nor onerous chore.
There are 114 controls in 14 groups, such as human resource security, physical and environmental security, asset management and information security incident management. It is worth noting that there is a degree of overlap in many instances, and the controls for one of the groups may equally provide control in another area.
You will need to decide which of these controls are required for your organisation, and give justification for their inclusion or exclusion.
There are a number of controls that would be difficult for any organisation to exclude such as information security incident management, information security continuity, human resource continuity or asset management.
For those areas that are outside your control, such as in the case where IT services may be outsourced, then the direct responsibility for the implementation lies with the supplier.
However, in these instances, the ownership of the risks will still lie with you and, therefore, the oversight of those controls will then come under A.15 Supplier relationships, which should then ensure that satisfactory controls are in place.
The SoA is underpinned by ISO 27002, which gives detailed guidance for each of the control objectives and controls; we would encourage anyone who is intending to work towards ISO 27001 certification to utilise the guidance in ISO 27002.
We can assist in the development of your risk assessment and risk treatment process, capturing this in your Statement of Applicability, ensuring that you understand the process so that you are able to take ownership.
Our documentation is straightforward and user-friendly, giving clarity and good oversight.