© 2013 Neupart 1

How to develop a Statement of Applicability

according to ISO 27001:2013

By Jesper E. Siig

Senior Security Advisor

at Neupart

Statement of Applicability

The Cornerstone of Your ISMS

© 2013 Neupart 2

Introduction The Statement of Applicability (SoA) is a central, mandatory part of the ISO 27001 standard for

Information Security Management Systems.

In this whitepaper we will look at why it is important, how we develop the Statement of Applicability,

and look at some tools to help you develop your Statement of Applicability.

So, if you follow the advice in this white paper, you will not only be able to speed up the development

of your Statement of Applicability, but also be certain that your work will follow the methodology for

implementing an Information Security Management System as prescribed by the ISO 27001:2013

standard.

Why Apart from the fact that it is a mandatory part of an Information Security Management System, there

are many reasons why it is worth spending time establishing an accurate, updated Statement of

Applicability.

The Statement of Applicability forms the main link between your risk assessment and the information

security you have implemented. The purpose of the Statement of Applicability is to document which

controls (security measures) from ISO 27001 Annex A (and thereby the ISO 27002 standard for

information security) you will implement, the reason they have been chosen - and for those that have

not been chosen - the justification for their exclusion.

While the standard does not directly specify this, it has become good practice to also include the

following in the Statement of Applicability document:

The status of implementation for existing controls

A link to the control documentation or a brief description of how each control is implemented

A cross-reference to the sources of other requirements, necessitating the controls chosen

Thus, by preparing a good quality Statement of Applicability, you will have a thorough and full overview

of which controls you need to implement, why they are implemented, how they are implemented, and

how well they are implemented.

In the following, we will take a look at how you can go about developing your Statement of

Applicability.

How The Statement of Applicability is the result of numerous activities defined in the planning phase of an

ISO 27001 implementation.

© 2013 Neupart 3

The two primary sources for the Statement of Applicability are the risk assessment and Annex A of the

standard (in reality the Table of Contents of the ISO 27002 standard). Other sources are the controls

that currently exist in the organization and external security requirement that the organization has to

comply with.

Your road to the Statement of Applicability can be illustrated like this:

Figure 1. The Road to SoA - and beyond

Identify and Analyse Risks

To ensure that the controls that are implemented reflect the risks that the organization faces, a risk

analysis must be undertaken. The risk analysis starts with an identification of the risks. The identification

consists of the following activities

1) Identify the risks associated with the loss of:

a. Confidentiality

b. Integrity

c. Availability

2) Identify the risk owners

Secondly the risks must be analysed and evaluated. The analysis consists of the following activities:

3) Assess the potential consequences that would result if the risks identified were to materialize

© 2013 Neupart 4

4) Assess the realistic likelihood of the occurrence of the risks identified

5) Determine the levels of risk

6) Compare the analysed risks with the organization’s risk acceptance criteria and establish

priorities for treatment

Select Controls

Where the analysis has determined that the risks are not acceptable, proper action must be taken. The

risk treatment options typically are:

a) Applying appropriate controls

b) Knowingly and objectively accepting risks

c) Avoiding risks, or

d) Sharing the associated business risks with other parties, e.g. insurers or suppliers

For those risks where the option a) above is chosen, proper controls must be selected. Fortunately ISO

27002 provides us with a very good catalogue of control objectives and controls for the treatment of

risks as well as good guidance on how to implement the controls.

In addition to the risk analysis, numerous other sources may come into play when you select controls.

Common sources are:

Currently implemented controls

Payment Card Industry Data Security Standard (PCI DSS)

National data protection laws, based on the EU Data Protection Directive or other legal

requirements

SANS Twenty Critical Controls for Effective Cyber Defence

Other sources may be:

Industry-specific regulatory requirements

Contractual security requirements

Corporate or Group security requirements which a subsidiary must adhere to

NIST Security and Privacy Controls for Federal Information Systems and Organizations

It is recommended that if the organization wishes to adhere to ISO 27001, the Statement of Applicability

is organized according to ISO 27002, and that the various other security requirements are then mapped

into the ISO 27002 framework. The Statement of Applicability should for each chosen control

document:

1. The source of the requirement which has led to the selection of the control

2. The maturity or level of compliance of the control

3. A reference to where in the source the need for this control is stated OR

The reason that the control has not been selected

4. A short description of the control or a reference to where the control is described

© 2013 Neupart 5

Analyse Gaps

While this is not a strict requirement of the ISO 27001 standard, it is recommended that once the

required controls have been selected, a gap analysis is performed to establish the current state of the

implementation of the controls.

To ensure the evaluation of the controls is consistent and coherent, it is recommended that a commonly

accepted maturity level model be selected. Examples of such maturity scales are:

The COBIT 4.1 Maturity Model

Carnegie Mellon Software Engineering Institute Capability Maturity Model (CMM)

The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark

Typically the scale for maturity falls in 5 levels:

0. Non-existent

1. Initial/Ad hoc

2. Repeatable but intuitive

3. Defined process

4. Managed and measurable

5. Optimized

Writing the Statement of Applicability

After having selected the controls and performed a gap analysis on the selected controls, we now have

all the information needed to write the Statement of Applicability itself.

It is recommended that a structured tool is used to document the Statement of Applicability. That way,

it will be possible to work with the content of the Statement of Applicability and, for instance, sort and

filter based on compliance level, source for requirements and other parameters.

Examples of relevant tools to write the Statement of Applicability are spreadsheets, databases and

dedicated ISMS tools, such as SecureAware from Neupart.

It should be noted, that the Statement of Applicability must not be a one-off exercise, but must be

updated when there are changes to the controls, to the compliance level or to the requirements that

necessitate the controls.

Plan Risk Treatment

As noted in the introduction, the Statement of Applicability is a very central document in the

information security management system. After the initial version of the Statement of Applicability has

been developed, it will be used both when developing the risk treatment plan and when implementing

the controls that have been selected during the ‘Select Controls’ activity.

The risk treatment plan could be said to be the organization’s security implementation plan, and the

primary goal of the plan is to achieve the organization’s security goals.

© 2013 Neupart 6

When planning the implementation the following factors should be considered:

1. What will be done?

2. What resources will be required?

3. Who will be responsible?

4. When will it be completed?

5. How will the results be evaluated?

Another important factor to consider when planning the security implementation, is the importance of

the controls that are being implemented, so the security activities must be prioritized according to:

The consequences associated with the risks

The likelihood of the risks

Legal and other regulatory requirements

Implement Controls

Once the risk treatment planning has been done, the actual security work starts. Depending on how

wide the gap is between the actual and the necessary security levels, this might be a both work

intensive and time consuming task. Therefore it is not unusual to see risk treatment plans that stretch

several months or even years.

During the implementation of the controls, the maturity of the ISMS is improved, and therefore the

Statement of Applicability must be updated according to this progress.

Maintaining the Statement of Applicability

As noted above, the Statement of Applicability must be continually updated, and Neupart recommends,

that previous (major) updates be kept, so that the improvements in control implementation and

compliance can be documented.

Also, as the organization's risk management approach matures, it is likely that recurring risk

assessments may result in updates to the overall risk picture and therefore also to the Statement of

Applicability.

An updated Statement of Applicability is very useful to document the overall implementation level of

the ISMS as well as the effectiveness of the controls that have been implemented.

© 2013 Neupart 7

Tools As noted above, it is very useful to use a structured tool to document the Statement of Applicability.

Neupart offers a fully-fledged Information Security Management System, SecureAware. SecureAware is

developed from the methodology prescribed in ISO 27001 and ISO 27002 as well as the standard for

Information Risk Management ISO 27005. SecureAware will help you automate the implementation of

your Information Security Management System saving you valuable resources as well as ensuring that

your implementation will follow the standards. SecureAware is available as a time limited free trial that

allows you to create your Statement of Applicability.

If you wish to initiate the implementation of your ISMS without the aid of SecureAware, we have

developed a spreadsheet that can be used to document the Statement of Applicability.

The spreadsheet is structured as the ISO 27002 controls which means that it corresponds directly with

the control objectives and controls included in the ISO 27001 Annex A.

The columns in the spreadsheet are as follows:

Heading Use ISO 27002 Control

# Section number

Identification Section Title

Source for Requirement: The columns below are example requirements Other sources may be added depending on the organizations needs

RA Risk Assessments

Cur. Current Controls

Cont. Contractual requirements

DPL Data Protection Law

Compliance

Assess the maturity of the control according to this scale: 5. Optimized 4. Managed and measurable 3. Defined process 2. Repeatable but intuitive 1. Initial/Ad hoc 0. Non-existent Not applicable

Source reference/ Reason for Non-applicability

Either document the reason for applicability by identifying the relevant section in the source for requirement

OR Explain why this control is not relevant

Control Description/ Reference to Control

Either give a short description of the controls OR

Give a reference to the description of the control

Download the spreadsheet here: www.neupart.com/resources/iso-27001/soa-template

© 2013 Neupart 8

References ISO Standard 27001 - Information security management systems - Requirements

http://www.iso.org/iso/home/search.htm?qt=27001&sort=rel&type=simple&published=on

Payment Card Industry - Data Security Standard (PCI DSS)

https://www.pcisecuritystandards.org/security_standards/index.php

SANS Institute - Twenty Critical Security Controls for Effective Cyber Defence

http://www.sans.org/critical-security-controls/

NIST Special Publication 800-53

Security and Privacy Controls for Federal Information Systems and Organizations

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

EU Data Protection Directive 95/46/EC

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:NOT

Danish Data Protection Law (Persondatalov)

https://www.retsinformation.dk/Forms/r0710.aspx?id=828

The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark

http://www.digst.dk/Arkitektur-og-standarder/Styring-af-informationssikkerhed-efter-ISO-

27001/~/media/Files/Arkitektur%20og%20standarder/Informationssikkerhed%20efter%20ISO27001/ISO270

01_Benchmark.ashx

Sign up for more insights on Information Security Management.

Receive white papers, articles, webinar invitations etc.

www.neupart.com/resources/newsletter-signup

t

© 2013 Neupart 9

What is SecureAware ISMS? Spend less time on security management and get a more precise overview of your security. If you have

to comply with standards or best practice for information security, SecureAware gives you improved

efficiency and the option to easily assess how much security your organization needs.

With SecureAware you no longer need complex spread sheets for risk assessments, and you can avoid

using lengthy security manuals in countless versions. Further, SecureAware gives you several shortcuts

to ISO 27001, PCI DSS-compliance and others. You will also get a complete overview of your recurring

security tasks. That way you can spend less time on security management, or you can choose to spend

your consultancy budget on other projects.

SecureAware can be used as a full information security management solution or as individual modules.

Get more information and a free trial here: www.neupart.com/products

Using SecureAware you will get:

ISO 27001 Information Security

Management System (ISMS)

Plan-Do-Check-Act process and

Statement of Applicability

IT risk management in compliance

with ISO 27005 and NIST SP800-37

PCI DSS compliance

Policy and security awareness

management

Cloud vendor analysis based on

Cloud Security Alliance GRC Stack

Compliance analysis

Control of the security functions

Business Continuity Planning in

accordance with BS 25999

Timesaving templates for security

policies, business continuity plans

and threat catalogue

APIs for data exchange

Smart upgrade ensures easy access

to new features and content

updates

Runs on several SQL databases

MS Active Directory support with

users and groups

Available as a software solution or

as a service

© 2013 Neupart 10

Neupart Hollandsvej 12

DK-2800 Lyngby T: +45 7025 8030

www.neupart.com

Neupart, an ISO 27001 certified company, provides an all-in-one, efficient IT GRC solution allowing organizations to automate IT governance, risk and compliance management. Whether you need to manage evolving business risks or achieve continuous compliance with PCI DSS, ISO 27001, EU Data Protection Regulations, Cloud Security Alliance Control Matrix, or WLA SCS, Neupart allows you to respond effectively - in the cloud or on the ground. More than 200 organisations worldwide are Neupart customers, including governments, utilities, banks and insurance firms, IT service providers and lotteries.