Not quite old news: Statement of Applicability

#1
Hi Guys n Girls,

I'm in a small business (15-30) employees in a very low risk business environment, and reviewing our ISO 27001 Management System and have spent most of the day scratching around the internet for sample SOA's etc.

Having found a few, they vary in size and amount of information, so I'm trying to get some ideas/feedback on how minimal I could keep it and keep our BSI Auditor happy. (I have approached them, and await their feedback) , but thought I'd tap this resource a bit too.

I'M thinking of streamlining both our SOA and Risk Assessment against 27001 assets, but the SOA i think can be a lot smaller than current one (I had to print it onto A1 paper to be able to read it all on one sheet.

Could I get away with a small SOA, that simply has columns for

Column A: Control # and name (According to annex A of ISO 27001)
Column B:Whether it is applicable or not
Column C: Exclusion justification where needed
Column D: Basic details of how that control is applied

So the above columns could be populated such as

Column A: 8.1.2:Screening
Column B: Yes
Column C: N/A
Column D: HR dept process application details and investigate applicants history

On the risk assessment side of things, i would list in the "human Asset" table that control 8.1.2 is applied at application stage to ensure we employ the right kind of person

Any thoughts muchos gracias

Greg
 
Elsmar Forum Sponsor
P

pldey42

#2
You need justification for inclusion as well (ISO 27001:2013 6.1.3.d) which could be a pointer to the risk assessment or treatment plan that called for it.

You could consider an extra column or two (not mandatory in the standard but perhaps helpful) that indicates whether a control's effectiveness is measured and if so, the target and the current value or trend.

Do keep in mind that any you find on the internet are likely to have been sanitized such as not to expose lack of controls that the company would like but, e.g. can't afford. There may also be controls in use that aren't declared in public to make them harder for an attacker to defeat.

There was a time when the SoA was regarded as a public document, but since that was clearly crazy, it's no longer seen that way. But that's the reason that sometimes you can find an SoA on the internet: the teaching then was, make a private real one and a public sanitized one; the public one was of course as useful as a chocolate padlock. I would never publish an SoA, seeing no reason to help attackers perhaps unwittingly. I would share it with clients on request under an appropriate NDA, maybe after a risk assessment and sometimes sanitized for our mutual protection.

Hope this helps
Pat
 
I

infosaas

#3
Ahhh - the good old SOA! I've lost count of how many times I have been asked to share this, but when you discuss why a customer/consultant/etc needs it it is often far simpler to share just the controls which have not been selected by your organisation! I personally believe that an SOA without the context of the risk assessment and control implementation activities is of limited value (at best) to a third party.

Having said that, an SOA in my experience is a table which chronicles which controls has been selected by each asset during its regular risk assessment. This can be a time consuming exercise - my colleague used to spend two days each year preparing this - which is one of the reasons why I created InfoSaaS where the SOA is automatically populated as each risk assessment is completed and finalised.
 
#4
Thanks for your input folks.

My new SOA went live for our transition audit to 27001: 2013 and passed the scrutiny.

I finished with columns as below in case anyone in a similarly low risk environment like mine needs one

control number
control name
control requirement
adopted/excluded
reason for adoption/exclusion
implemented (y/n)
manifestation of control
and a final column for comments

thanks for your help guys
 
Thread starter Similar threads Forum Replies Date
D AASHTO R18 Accreditation (quite similar to ISO 17025) QMS - Help needed ISO 17025 related Discussions 4
Z Don't quite understand interpretation of ISO17025: 2005 clause 1.4 and 1.2 ISO 17025 related Discussions 13
A Since ISO 9001:2000 is Quite 'Product' Focused, is it the Right System for Us? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 17
Adriane Similar But Not Quite The Same - Registrar Notification ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
S Approval For Standard OEM Parts - I am never quite sure how we should submit approval Customer and Company Specific Requirements 3
L Not Quite ISO 14001, But... The operation produces a special waste Miscellaneous Environmental Standards and EMS Related Discussions 9
C Refreshing an old and boring topic - Job descriptions and Roles vs Process Documentation ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 9
Q Old products new class - Dental Devices - Choosing tests EU Medical Device Regulations 2
K Old medical devices -> 7.3.7. Design and development validation ISO 13485:2016 - Medical Device Quality Management Systems 1
M Interesting Discussion Curious old drawings about electrical shock and safety IEC 60601 - Medical Electrical Equipment Safety Standards Series 1
Marc Interesting Discussion The periodic table is 150 years old - March 2019 Coffee Break and Water Cooler Discussions 3
Marc Old Registered Visitors "Pruned" from the Database - 20180916 Forum News and General Information 0
Marc 200-year-old museum in Rio de Janeiro Destroyed by Fire - 2 SEPT 2018 World News 2
C Document Control - old revision vs new revision Document Control Systems, Procedures, Forms and Templates 22
Marc Adventures in Design Quality Assurance - Two-week-old Pixel 2 XL displays World News 0
A Training Program Help - Old docs, new docs, so many docs... ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
K Canada License Amendment - Old Product to New Product Canada Medical Device Regulations 2
B Old GD&T Symbol "~" Inspection, Prints (Drawings), Testing, Sampling and Related Topics 2
L Sources for Searching Old Electronic Parts Specs (Counterfeit Inspection) Quality Manager and Management Related Issues 3
Q Modifying an old printed record? ISO 9001 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 10
G Customer wants PPAP on Old Parts to New Standards APQP and PPAP 8
A Technical File Maintenance - Old generation product EU Medical Device Regulations 4
A PUWER (Provision and Use of Work Equipment Regulations) and old machines (UK rules) Occupational Health & Safety Management Standards 4
E I'm looking for old publications of European Quality in pdf Book, Video, Blog and Web Site Reviews and Recommendations 2
J How to Retrofit an old, manual CMM Calibration and Metrology Software and Hardware 5
C Upgrading an old Supermicrometer General Measurement Device and Calibration Topics 3
S Old Medical Device Software Submission Guidance from 1998 Other US Medical Device Regulations 8
R IMDS time frame submission for a very old product APQP and PPAP 1
M Old software and EN 62304 - ECG software for the display of ECG IEC 62304 - Medical Device Software Life Cycle Processes 2
W Where to find the Daimler DBL 6992 10 new (old) standard Customer and Company Specific Requirements 1
P Performance Qualification of old Rapid Mixer Granulator Qualification and Validation (including 21 CFR Part 11) 2
Q IQ Requirements for Old (10 yrs) Commissioned Equipment Qualification and Validation (including 21 CFR Part 11) 2
R Covegratulations to The Cove: 18 years old! Covegratulations 3
N FDA Aspects - No Improvements to 12 Year Old Software ISO 13485:2016 - Medical Device Quality Management Systems 4
T Software that will overlay Old Revision and New Revision Print and Compare Inspection, Prints (Drawings), Testing, Sampling and Related Topics 6
M Old MSDS Sheets vs new HCS Standard - Format Requirements Manufacturing and Related Processes 18
H Digging Up Bones - Inspector Retrieving Very Old Inspection Data Inspection, Prints (Drawings), Testing, Sampling and Related Topics 3
V Old 510(k) with no Indication Statement 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
K Retrospective DHF for an old non-registered device 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 3
F Receiving a new Gage Block Set with an old Certificate Calibration Frequency (Interval) 3
Randy Looky here - Check out my 9-month old Great-Grandson Hayden Coffee Break and Water Cooler Discussions 4
G Help with an old Spectrum 1000BX FTIR unit - User Manual wanted Manufacturing and Related Processes 2
M AS9100A (old revision) - Required C=0 sampling plans if sampling was used? AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 4
R Using Curve Fits and Predictions in place of good old Measurements General Measurement Device and Calibration Topics 3
N What to do about very old MSDS Sheets Occupational Health & Safety Management Standards 24
C Hazards of Old Electronics Quality Manager and Management Related Issues 9
D Registrar Requesting Copies of Old Documents AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 14
V We put Old plating spec on supplier prints and need to PPAP to Customer. APQP and PPAP 1
G Old Medical Device Equipment - Compliance with New or Old Standard - What to do? Other Medical Device Related Standards 3
R PPAP requests for old parts that pre-date your PPAP Process APQP and PPAP 2
Similar threads


















































Top Bottom