The Statement of Applicability which you can assess through the dashboard is a critical part of your information security management system. For your information, this is one of the most important documents that you need for your ISO 27001 certification. The SoA main task is to state what ISO 27001 controls and policies are being implemented by the enterprise to protect the valuable information and its facilities. This is why it is an integral part of the ISO 27001 documentation which is related to the security of the information of an organization.

Why SoA is needed?

Once you have completed the risk assessment report, you need to define some controls which will tackle those risks. Those controls are listed in another document which is termed as the Statement of Applicability and some of the reasons why it is necessary are:

• During the risk treatment process, there are some controls that you use to tackle the risks, these controls are identified and listed for you through SoA.
• It also includes and excludes the controls that are not needed or are of no use depending on risks.
• The risk assessment report is usually lengthy, but the SoA is short and helps in understanding the risks better and also allow you to view which of the controls would become part of your risks treatment process.
• SoA also documents which of the controls were implemented and which are left. This is a good practice as it helps in understanding which of the controls are not effective against a certain kind of risks and would not be bothered next time.

Steps to Develop ISO 27001Statement of Applicability

If you are a new person using the ISO Manager software and thinking of how to develop the ISO 27001 risk assessment along with the Statement of Accountability, then you are at the right place. The given below steps will help you how to perform the whole tasks.

Understanding the controls and their inclusion process

The first involves knowing how many controls and which of those controls will be included in your SoA. However, according to the data present in the IT Governance, there are around 114 entries present in SoA which can become part of the controls.

Identification and Analysis of Risks

You would have to work with your team in exploring the controls and also to identify all the possible risks. Keep an eye on all those risks which can affect the confidentiality, integrity and availability of any asset of your ISMS. Once the risks are identified, you need to see how they might occur and could affect your information.

Choose the controls to tackle the risks

According to the ISO 27001, there are four ways which are recommended to treat risks, and that is:

• Tolerating the risks
• Avoid the risks
• Share the risks
• Modify or mitigate the risks

Developing a Risk Treatment Plan

You need to produce risk treatment plans so that after the identification of the risks, your organization is in a state to reach the happenings. Moreover, they would feel ready with a proper timeline and the resources that they will use to protect the ISMS.

Providing a Controls List

The SoA will need a list of all the controls which are recommended by Annex A and through that control, it will be seen what has been applied and what is left.

Maintain your Statement of Applicability.

SoA is not a static document and it will keep on changing depending on the need and working of your business. Moreover, it relies on the security issues and the standard set forth by the ISO, and ISO is always improving the SoA and controls to provide better security to the ISMS.