ISO 27001 Statement of Applicability and Some of my Thoughts

Richard Regalado

Trusted Information Resource
The Statement of Applicability or SOA is a document containing:

- selected control objectives and controls and reasons for their selection (reasons may include: contractual obligations, legal requirements, regulatory requirements, your very own business requirements, results of your risk assessment, etc.)

- control objectives and controls currently implemented (one does not need ISO 27001 to have information security controls. Even before ISO 27001 became fashionable most of us have doors, cabinets, cupboards, CCTV cameras, passwords, firewalls, backup processes, BCPs, documented operating procedures, etc. It's like you're building a house, no one needs to tell you to put up walls or doors or windows.)

- the exclusion of any control objectives and controls and the justification for their exclusion (Not one of the security control in Annex A is required. Yes, not one. You just have to justify here why you are not implementing Encryption, for example)

Attached is the Statement of Applicability I've been using for my clients. I'm sharing it here for the members. It is very easy to use and captures all of the requirements for a SOA.

If you have questions, suggestions or violent reactions, please PM me or reply to this post. Nice weekend to everyone.
 

Attachments

  • ISO27k SOA 20110702.xls
    62 KB · Views: 883

dsheaffe

Involved In Discussions
I could open without a problem (ie, I didn't get asked for a password). Very nice - thanks for sharing.
 
Top Bottom