How to develop a Statement of Applicability according to ISO 27001:2017March 2018Edition 2.0

22©Neupart A/S 2018 2©Neupart A/S 2018

2 3©Neupart A/S 2018

INTRODUCTION

The Statement of Applicability (SoA) is a central, mandatory part of the ISO 27001 standard for Information Security Mana-gement Systems.

In this whitepaper we will look at why it is so important, and how to develop the Statement of Applicability.

So, if you follow the advice in this white paper, you will not only be able to speed up the development of your Statement of Applicability, but also be certain that your work will follow the methodology for implementing an Information Security Management System as prescribed by the ISO 27001:2017 standard.

Statement of Applicability Cornerstone of your ISMS

2 Published in March, 2018, this is an updated version of the original white paper from 2014.

4©Neupart A/S 2018

WHY

Apart from the fact that it is a mandatory part of an Information Security Management System, there are many reasons why it is worth spending time establishing an accurate, up-to-date Statement of Applicability.

The Statement of Applicability forms the main link between your risk assessment and the information security you have implemented. The purpose of the Statement of Applicability is to document which controls (security measures) from ISO 27001 Annex A (and thereby the ISO 27002 standard for information security) you will implement, and the reason they have been chosen – as well as justifying why any controls might be excluded.

It is also good practice to include the following in the Statement of Applicability document:

• The status of implementation for existing controls

• A link to the control documentation or a brief description of how each control is implemented

• A cross-reference to the sources of other requirements, necessitating the controls chosen

Thus, by preparing a good quality Statement of Applicability, you will have a thorough and full overview of which controls you need to implement, why they are implemented, how they are implemented, and how well they are implemented.

Take a look at how you can develop your SoA

4 5©Neupart A/S 2018

HOW

The Statement of Applicability is the result of numerous activities defined in the planning phase of an ISO 27001 imple-mentation. The two primary sources for the Statement of Applicability are the risk assessment and Annex A of the standard (in reality the Table of Contents of the ISO 27002 standard). Other sources are the controls that currently exist in the organization and external security requirement that the organization has to comply with.

Your road to the Statement of Applicability can be illustrated like this:

Identify and Analyse Risks

Select Controls

Analyse Gaps

Plan Risk Treatment

Implement Controls

Figure 1 The road to SoA – and beyond

External Requirements

CurrentControls

Risk Treatment Plan

Statement of ApplicabilityAnnex A/

ISO 27002

6©Neupart A/S 2018

Identify and Analyse RisksTo ensure that the controls that are implemented reflect the risks that the organization faces, a risk analysis must be undertaken. The risk analysis starts with an identification of the risks.

1. The identification consists of the following activities:

• Confidentiality

• Integrity

• Availability

2. Identify the risk owners

Next, the risks must be analysed and evaluated. The analysis consists of the following activities:

3. Assess the potential consequences that would result if the risks identified were to materialize

4. Assess the realistic likelihood of the occurrence of the risks identified

5. Determine the levels of risk

6. Compare the analysed risks with the organization’s risk acceptance criteria and establish priorities for treatment

Select ControlsWhere the analysis has determined that the risks are not acceptable, proper action must be taken. The risk treatment options are typically:

a) Applying appropriate controls

b) Knowingly and objectively accepting risks

c) Avoiding risks, or

d) Sharing the associated business risks with other parties, e.g. insurers or suppliers

6 7©Neupart A/S 2018

For those risks where option a) above is chosen, proper controls must be selected. Fortunately, ISO 27002 provides us with a very good catalogue of control objectives and controls for the treatment of risks as well as good guidance on how to implement the controls.

In addition to the risk analysis, numerous other sources may come into play when you select controls. Common sources are:

• Currently implemented controls

• Payment Card Industry Data Security Standard (PCI DSS)

• The EU General Data Protection Regulation (GDPR)

• SANS Twenty Critical Controls for Effective Cyber Defence

Other sources may be:

• Industry-specific regulatory requirements

• Contractual security requirements

• Corporate or Group security requirements which a subsidiary must adhere to

• NIST Security and Privacy Controls for Federal Information Systems and Organizations

It is recommended that if the organization wishes to adhere to ISO 27001, the Statement of Applicability is organized accor-ding to ISO 27002, and that the various other security requirements are then mapped into the ISO 27002 framework. The Statement of Applicability should for each chosen control document:

1. The source of the requirement which has led to the selection of the control

2. The maturity or level of compliance of the control

3. A reference to where in the source the need for this control is stated OR The reason that the control has not been selected

4. A short description of the control or a reference to where the control is described

PB 88©Neupart A/S 2018

Gap AnalysisWhile this is not a strict requirement of the ISO 27001 standard, it is recommended that once the required controls have been selected, a gap analysis is performed to establish the current state of the implementation of the controls.

To ensure the evaluation of the controls is consistent and coherent, it is recommended that a commonly accepted maturity level model be selected. Examples of such maturity scales are:

• The COBIT 4.1 Maturity Model

• Carnegie Mellon Software Engineering Institute Capability Maturity Model (CMM)

• The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark

Typically the scale for maturity is on 5 levels:

Writing the Statement of Applicability After having selected the controls and performed a gap analysis on the selected controls, we now have all the information needed to write the Statement of Applicability itself. It is recommended that a structured tool is used to document the Statement of Applicability. That way, it will be possible to work with the content of the Statement of Applicability and, for instance, sort and filter based on compliance level, source for requirements and other parameters.

Examples of relevant tools to write the Statement of Applicability are spreadsheets, databases, and dedicated ISMS tools, such as Secure ISMS from Neupart.

It should be noted, that the Statement of Applicability must not be a one-off exercise. It must be updated when there are changes to the controls, to the compliance level or to the requirements that necessitate the controls.

Optimized

Managed andmeasurable

Defined process

Repeatable butintuitive

Inititial/Ad hoc

Non-existent

Figure 2: Maturity scale for Controls

8 9©Neupart A/S 2018

Plan Risk TreatmentAs noted in the introduction, the Statement of Applicability is a very central document in the information security management system. After the initial version of the Statement of Applicability has been developed, it will be used both when developing the risk treatment plan and when implementing the controls that have been selected during the ”Select Controls” activity.

The risk treatment plan could be said to be the organization’s security implementation plan, and the primary goal of the plan is to achieve the organization’s security goals. When planning the implementation, the following factors should be considered:

1. What will be done?

2. What resources will be required?

3. Who will be responsible?

4. When will it be completed?

5. How will the results be evaluated?

Another important factor to consider when planning the security implementation, is the importance of the controls that are being implemented, so the security activities must be prioritized according to:

• The consequences associated with the risks

• The likelihood of the risks

• Legal and other regulatory requirements

Implement ControlsOnce the risk treatment planning has been done, the actual security work starts. Depending on how wide the gap is between the actual and the necessary security levels, this might be a both work intensive and time-consuming task. Therefore it is not unusual to see risk treatment plans that stretch several months or even years.

During the implementation of the controls, the maturity of the ISMS is improved, and therefore the Statement of Applica-bility must be updated according to this progress.

Maintaining the Statement of ApplicabilityAs noted above, the Statement of Applicability must be continually updated, and Neupart recommends that previous (major) updates be kept, so that the improvements in control implementation and compliance can be documented.

Also, as the organization’s risk management approach matures, it is likely that recurring risk assessments may result in updates to the overall risk picture and therefore also to the Statement of Applicability.

An up-to-date Statement of Applicability is very useful to document the overall implementation level of the ISMS as well as the effectiveness of the controls that have been implemented.

PB 1010©Neupart A/S 2018

TOOLS

As noted above, it is very useful to use a structured tool to document the Statement of Applicability. Neupart offers a fully-fledged Information Security Management System, Secure ISMS. Secure ISMS is developed from the methodology prescribed in ISO 27001 and ISO 27002 as well as the standard for Information Risk Management ISO 27005. Secure ISMS will help you automate the implementation of your Information Security Management System saving you valuable resources as well as ensuring that your implementation will follow the standards. Secure ISM is available as a time-li-mited free trial that allows you to create your Statement of Applicability.

Read more and get your free trial of Secure ISMS at www.neupart.com

REFERENCES

ISO Standard 27001 - Information security management systems – Requirementshttps://www.bsigroup.com/en-GB/iso-27001-information-security/BS-EN-ISO-IEC-27001-2017/

ISO Standard 27002 – Information Technology – Security techniques – Code of practice for information security controls https://shop.bsigroup.com/ProductDetail/?pid=000000000030347481

Payment Card Industry - Data Security Standard (PCI DSS)https://www.pcisecuritystandards.org/security_standards/index.php

SANS Institute – Twenty Critical Security Controls for Effective Cyber Defencehttp://www.sans.org/critical-security-controls/

NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizationshttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

The Danish Agency for Digitization (Digitaliseringsstyrelsen) ISO 27001-benchmark http://www.digst.dk/Arkitektur-og-standarder/Styring-af-informationssikkerhed-efter-ISO-27001/~/media/Files/Arkitektur%20og%20standarder/Informationssikkerhed%20efter%20ISO27001/ISO27001_Benchmark.ashx

10 11©Neupart A/S 2018

Did you find this guide useful? Then sign up for Neupart’s monthly newsletter. Once a month we’ll send you our latest articles, whitepapers, and invitations to our webinars. Only knowledge and inspiration directly related to information security and data protection, no spam. If you change your mind, you can always unsubscribe via a link in each newsletter.

Sign up here: http://www.neupart.com/company/newsletter-signup

Learn from the experts Sign up for our newsletter

EFFECTIVE MANAGEMENT OF INFORMATION SECURITY

Neupart specialises in information security management systems (ISMS). Our systems, Secure ISMS and Secure GDPR, have been specifically designed to help private and public organisations comply with the new EU General Data Protection Regulation, and other information security standards such as the ISO 27001/2/5 and the ISO 22301, as well as any specific customer demands. With our user-friendly tools, it is easy to establish the right processes for compliance, and maintain those processes, long after the initial implementation phase.

Get more information and a free trial here www.neupart.com

GET HELP FROM EXPERIENCED IT-SECURITY EXPERTS

Neupart has a team of skilled, experienced consultants that help private and public enterprises establish information security. This can take on the form of risk management, policies and guidelines, business continuity, awareness programmes, etc. However, it can also be consulting on compliance with various standard and requirements, such as ISO 27001/2/5, ISO 22301, GDPR, PCI DSS, and specific customer demands. The consultants have experience from various projects for many different companies interna-tionally. Therefore they know the potential pitfalls, the most effective methods, and how to ensure utmost security in the implementation of information security, using a pragmatic and practical approach to the work at hand.

WANT TO KNOW MORE?

Call us at +45 7025 8030

UK160418-1