How to develop a Statement of Applicability according to ISO 27001:2013

of Your ISMS
Statement of
How to develop a
Statement of Applicability
according to ISO 27001:2013
By Jesper E. Siig
Senior Security Advisor
at Neupart
© 2013 Neupart
The Statement of Applicability (SoA) is a central, mandatory part of the ISO 27001 standard for
Information Security Management Systems.
In this whitepaper we will look at why it is important, how we develop the Statement of Applicability,
and look at some tools to help you develop your Statement of Applicability.
So, if you follow the advice in this white paper, you will not only be able to speed up the development
of your Statement of Applicability, but also be certain that your work will follow the methodology for
implementing an Information Security Management System as prescribed by the ISO 27001:2013
Apart from the fact that it is a mandatory part of an Information Security Management System, there
are many reasons why it is worth spending time establishing an accurate, updated Statement of
The Statement of Applicability forms the main link between your risk assessment and the information
security you have implemented. The purpose of the Statement of Applicability is to document which
controls (security measures) from ISO 27001 Annex A (and thereby the ISO 27002 standard for
information security) you will implement, the reason they have been chosen - and for those that have
not been chosen - the justification for their exclusion.
While the standard does not directly specify this, it has become good practice to also include the
following in the Statement of Applicability document:
The status of implementation for existing controls
A link to the control documentation or a brief description of how each control is implemented
A cross-reference to the sources of other requirements, necessitating the controls chosen
Thus, by preparing a good quality Statement of Applicability, you will have a thorough and full overview
of which controls you need to implement, why they are implemented, how they are implemented, and
how well they are implemented.
In the following, we will take a look at how you can go about developing your Statement of
The Statement of Applicability is the result of numerous activities defined in the planning phase of an
ISO 27001 implementation.
© 2013 Neupart
The two primary sources for the Statement of Applicability are the risk assessment and Annex A of the
standard (in reality the Table of Contents of the ISO 27002 standard). Other sources are the controls
that currently exist in the organization and external security requirement that the organization has to
comply with.
Your road to the Statement of Applicability can be illustrated like this:
Figure 1. The Road to SoA - and beyond
Identify and Analyse Risks
To ensure that the controls that are implemented reflect the risks that the organization faces, a risk
analysis must be undertaken. The risk analysis starts with an identification of the risks. The identification
consists of the following activities
Identify the risks associated with the loss of:
a. Confidentiality
b. Integrity
c. Availability
Identify the risk owners
Secondly the risks must be analysed and evaluated. The analysis consists of the following activities:
Assess the potential consequences that would result if the risks identified were to materialize
© 2013 Neupart
Assess the realistic likelihood of the occurrence of the risks identified
Determine the levels of risk
Compare the analysed risks with the organization’s risk acceptance criteria and establish
priorities for treatment
Select Controls
Where the analysis has determined that the risks are not acceptable, proper action must be taken. The
risk treatment options typically are:
Applying appropriate controls
Knowingly and objectively accepting risks
Avoiding risks, or
Sharing the associated business risks with other parties, e.g. insurers or suppliers
For those risks where the option a) above is chosen, proper controls must be selected. Fortunately ISO
27002 provides us with a very good catalogue of control objectives and controls for the treatment of
risks as well as good guidance on how to implement the controls.
In addition to the risk analysis, numerous other sources may come into play when you select controls.
Common sources are:
Currently implemented controls
Payment Card Industry Data Security Standard (PCI DSS)
National data protection laws, based on the EU Data Protection Directive or other legal
SANS Twenty Critical Controls for Effective Cyber Defence
Other sources may be:
Industry-specific regulatory requirements
Contractual security requirements
Corporate or Group security requirements which a subsidiary must adhere to
NIST Security and Privacy Controls for Federal Information Systems and Organizations
It is recommended that if the organization wishes to adhere to ISO 27001, the Statement of Applicability
is organized according to ISO 27002, and that the various other security requirements are then mapped
into the ISO 27002 framework. The Statement of Applicability should for each chosen control
1. The source of the requirement which has led to the selection of the control
2. The maturity or level of compliance of the control
3. A reference to where in the source the need for this control is stated OR
The reason that the control has not been selected
4. A short description of the control or a reference to where the control is described
© 2013 Neupart
Analyse Gaps
While this is not a strict requirement of the ISO 27001 standard, it is recommended that once the
required controls have been selected, a gap analysis is performed to establish the current state of the
implementation of the controls.
To ensure the evaluation of the controls is consistent and coherent, it is recommended that a commonly
accepted maturity level model be selected. Examples of such maturity scales are:
The COBIT 4.1 Maturity Model
Carnegie Mellon Software Engineering Institute Capability Maturity Model (CMM)
The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark
Typically the scale for maturity falls in 5 levels:
Initial/Ad hoc
Repeatable but intuitive
Defined process
Managed and measurable
Writing the Statement of Applicability
After having selected the controls and performed a gap analysis on the selected controls, we now have
all the information needed to write the Statement of Applicability itself.
It is recommended that a structured tool is used to document the Statement of Applicability. That way,
it will be possible to work with the content of the Statement of Applicability and, for instance, sort and
filter based on compliance level, source for requirements and other parameters.
Examples of relevant tools to write the Statement of Applicability are spreadsheets, databases and
dedicated ISMS tools, such as SecureAware from Neupart.
It should be noted, that the Statement of Applicability must not be a one-off exercise, but must be
updated when there are changes to the controls, to the compliance level or to the requirements that
necessitate the controls.
Plan Risk Treatment
As noted in the introduction, the Statement of Applicability is a very central document in the
information security management system. After the initial version of the Statement of Applicability has
been developed, it will be used both when developing the risk treatment plan and when implementing
the controls that have been selected during the ‘Select Controls’ activity.
The risk treatment plan could be said to be the organization’s security implementation plan, and the
primary goal of the plan is to achieve the organization’s security goals.
© 2013 Neupart
When planning the implementation the following factors should be considered:
What will be done?
What resources will be required?
Who will be responsible?
When will it be completed?
How will the results be evaluated?
Another important factor to consider when planning the security implementation, is the importance of
the controls that are being implemented, so the security activities must be prioritized according to:
The consequences associated with the risks
The likelihood of the risks
Legal and other regulatory requirements
Implement Controls
Once the risk treatment planning has been done, the actual security work starts. Depending on how
wide the gap is between the actual and the necessary security levels, this might be a both work
intensive and time consuming task. Therefore it is not unusual to see risk treatment plans that stretch
several months or even years.
During the implementation of the controls, the maturity of the ISMS is improved, and therefore the
Statement of Applicability must be updated according to this progress.
Maintaining the Statement of Applicability
As noted above, the Statement of Applicability must be continually updated, and Neupart recommends,
that previous (major) updates be kept, so that the improvements in control implementation and
compliance can be documented.
Also, as the organization's risk management approach matures, it is likely that recurring risk
assessments may result in updates to the overall risk picture and therefore also to the Statement of
An updated Statement of Applicability is very useful to document the overall implementation level of
the ISMS as well as the effectiveness of the controls that have been implemented.
© 2013 Neupart
As noted above, it is very useful to use a structured tool to document the Statement of Applicability.
Neupart offers a fully-fledged Information Security Management System, SecureAware. SecureAware is
developed from the methodology prescribed in ISO 27001 and ISO 27002 as well as the standard for
Information Risk Management ISO 27005. SecureAware will help you automate the implementation of
your Information Security Management System saving you valuable resources as well as ensuring that
your implementation will follow the standards. SecureAware is available as a time limited free trial that
allows you to create your Statement of Applicability.
If you wish to initiate the implementation of your ISMS without the aid of SecureAware, we have
developed a spreadsheet that can be used to document the Statement of Applicability.
The spreadsheet is structured as the ISO 27002 controls which means that it corresponds directly with
the control objectives and controls included in the ISO 27001 Annex A.
The columns in the spreadsheet are as follows:
ISO 27002 Control
Source for Requirement:
Source reference/
Reason for Non-applicability
Control Description/
Reference to Control
Section number
Section Title
The columns below are example requirements
Other sources may be added depending on the organizations needs
Risk Assessments
Current Controls
Contractual requirements
Data Protection Law
Assess the maturity of the control according to this scale:
5. Optimized
4. Managed and measurable
3. Defined process
2. Repeatable but intuitive
1. Initial/Ad hoc
0. Non-existent
Not applicable
Either document the reason for applicability by identifying the relevant
section in the source for requirement
Explain why this control is not relevant
Either give a short description of the controls
Give a reference to the description of the control
Download the spreadsheet here:
© 2013 Neupart
ISO Standard 27001 - Information security management systems - Requirements
Payment Card Industry - Data Security Standard (PCI DSS)
SANS Institute - Twenty Critical Security Controls for Effective Cyber Defence
NIST Special Publication 800-53
Security and Privacy Controls for Federal Information Systems and Organizations
EU Data Protection Directive 95/46/EC
Danish Data Protection Law (Persondatalov)
The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark
Sign up for more insights on Information Security Management.
Receive white papers, articles, webinar invitations etc.
© 2013 Neupart
What is SecureAware ISMS?
Spend less time on security management and get a more precise overview of your security. If you have
to comply with standards or best practice for information security, SecureAware gives you improved
efficiency and the option to easily assess how much security your organization needs.
With SecureAware you no longer need complex spread sheets for risk assessments, and you can avoid
using lengthy security manuals in countless versions. Further, SecureAware gives you several shortcuts
to ISO 27001, PCI DSS-compliance and others. You will also get a complete overview of your recurring
security tasks. That way you can spend less time on security management, or you can choose to spend
your consultancy budget on other projects.
SecureAware can be used as a full information security management solution or as individual modules.
Get more information and a free trial here:
Using SecureAware you will get:
ISO 27001 Information Security
Management System (ISMS)
Plan-Do-Check-Act process and
Statement of Applicability
IT risk management in compliance
with ISO 27005 and NIST SP800-37
PCI DSS compliance
Policy and security awareness
Cloud vendor analysis based on
Cloud Security Alliance GRC Stack
Compliance analysis
Control of the security functions
Business Continuity Planning in
accordance with BS 25999
© 2013 Neupart
Timesaving templates for security
policies, business continuity plans
and threat catalogue
APIs for data exchange
Smart upgrade ensures easy access
to new features and content
Runs on several SQL databases
MS Active Directory support with
users and groups
Available as a software solution or
as a service
Neupart, an ISO 27001 certified company, provides an all-in-one, efficient IT GRC solution
allowing organizations to automate IT governance, risk and compliance management.
Whether you need to manage evolving business risks or achieve continuous compliance
with PCI DSS, ISO 27001, EU Data Protection Regulations, Cloud Security Alliance Control
Matrix, or WLA SCS, Neupart allows you to respond effectively - in the cloud or on the
ground. More than 200 organisations worldwide are Neupart customers, including
governments, utilities, banks and insurance firms, IT service providers and lotteries.
© 2013 Neupart
Hollandsvej 12
DK-2800 Lyngby
T: +45 7025 8030