8 Aug, 2019
The Statement of Applicability… just reading those words will get many people’s heads in a spin! As many of us find this document daunting, we’d like to try and simplify it for you.
The Statement of Applicability is a document that details which controls you have in place to manage the risks to the security of your business’ confidential or sensitive information. It’s the one document that contains every element you employ to achieve this. In other words, it is the most important document in your compliance.
Your Statement of Applicability should clearly define which of the 27001 Standard’s 114 Annex A Controls you will apply and how they will be implemented. I hear you ask – “What are the Annex A Controls?” – they are essentially security measures. I also hear you ask “Are there really 114 of them?” – yes there are! The guidelines for these are set out in ISO 27002, the code of practice for ISO 27001. This sub-standard provides detailed information on each control, how it works and finally how to implement it.
In simpler terms, the Statement of Applicability is a detailed Risk Assessment. It should document any additional controls to your information security and your reasons for their selection. In addition to this, it should detail any that have been excluded and your justification for doing so.
The Information Security management system focuses on continual improvement and the Statement of Applicability will help you achieve this.
First of all, it will help you to understand how you are managing risks and why. Secondly, it will ensure all necessary controls have been captured, and will provide guidance to any additional controls that you might not have considered. Thirdly, it will allow you to review whether a control is effective and if there are any more suitable options.
This document should be the focal point for internal audits and will be used by your Assessor at your audit.
Now, this is the daunting part!
Whilst the initial completion of this can feel a little overwhelming, don’t be put off by its size and seeming complexity. Once completed, it’ll be subject of an annual review but shouldn’t require any major reconstruction unless your business changes substantially. With perseverance, you will: greatly increase your personal development, make a major contribution to information security compliance and conformity and as a result, perhaps save your organisation thousands of pounds.
We provide a Statement of Applicability template which can be found within our Client Area, in the ‘Forms and Templates’ section. This document should reflect your own management system and the applicable controls required to manage your information assets.
Shaw Healthcare Group Limited have completed the Statement of Applicability well, Jasmine Bird comments “The Statement of applicability was really informative in relation to the justification for each area and key in really understanding where you are as a business.
Rather than tackling this on my own, I completed this alongside key colleagues. Each of us were able to answer our respective areas. It was instrumental in constructing the Information Security Management Policy to ensure all areas were included. This is a great tool for Management Review Meetings to identify areas for improvement and opportunity”.
If you do require any assistance with completing your Statement of Applicability, please do get in touch with our office on 0330 058 5551 where we can arrange for additional support.
ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.
Do you want to get ahead of your competition? Win more tenders or save time and money on reoccurring issues? Contact us today on 0330 058 5551 or email firstname.lastname@example.org.
Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.