In some ways, the ISO27001 standard has an unusual structure. Although it follows the same “Annex SL” or High Level Structure layout as the other ISO management system standards, it also has this “Annex A” at the back, which gets a lot of attention, and is a major part of the ISO27001 standard. And, related to that, what is this “statement of applicability” that everyone keeps talking about? In this blog we’ll go through the purpose of Annex A and answer the question “what is the statement of applicability in ISO27001?”.
It’s a risk thing
So you may already be aware that ISO27001 is a risk-based standard. This means that the actions you take and the processes you put in place should be based on an assessment of your risks. The good news is that you therefore don’t need to put anything in place that really doesn’t apply to you. For example, if your organisation doesn’t write bespoke code, then the ISO27001 standard doesn’t insist that you have a development environment and secure it appropriately – because for you, that doesn’t make sense. However, it does expect you to do something to address (or “treat”) the risks you do have. But what kinds of actions should you take to address these risks?
Well, this is where the ISO27001 standard provides some helpful guidance in the form of the reference controls in Annex A. This is a list of 93 (down from 114 in the previous version, 2013) good ideas (or more specifically, “controls”) that you can use to reduce your levels of risk and make your organisation that bit safer.
The process of risk assessment and treatment in ISO27001 then, is basically to look at what could happen, and to pick the appropriate controls from Annex A to improve your chances of the risk either not happening (reduce the likelihood), or to make it less of a problem if it does (reduce the impact), or ideally, both.
The Annex A shopping list
You could look at the set of controls in Annex A as a shopping list of best practice ideas that have been suggested by organisations all over the world and that are considered to be effective ways to improve the security of your information. The don’t just cover technical areas such as anti-malware, but address softer issues such as recruitment and employee awareness too.
But as we said earlier, this list may not apply to everyone. ISO standards are written to be used across the globe in all industries and in all shapes and sizes of organisation. So there may be some on the list that just don’t apply to you. If you’re going for certification to ISO27001, then your auditor will want to know which of the controls in Annex A apply, and which ones don’t; and this is where the statement of applicability comes in.
What is the statement of applicability?
The standard is very clear that the statement of applicability is a mandatory document, and if you don’t have one when the certification auditor comes to call, you’re going to have an embarrassing few minutes with some very raised eyebrows, likely culminating in a major nonconformity (and nobody likes those).
It's explains which ISO 27001 Annex A security controls are (or aren't) applicable to your organisation's Information Security Management System.
So you definitely need one, but what does it look like?
Structure of the statement of applicability
Clause 6.1.3 d) of the ISO27001 standard says that you must produce a Statement of Applicability that contains the necessary controls, justification for their inclusion, whether they are implemented or not, and the justification for excluding any of the Annex A controls.
In practice this will be a list of the controls from Annex A and, for each control, an indication of whether that control is applicable or not (a yes or no answer), a brief reason for your decision and, for those that are applicable, a simple indication of how far you have got towards implementing it (this could be a yes or no answer, or perhaps some shades of grey, such as “partially”). This list often takes the form of a spreadsheet with columns for:
applicable/not applicable
reason for inclusion/exclusion
implementation status
There’s no need to indicate which risks from your risk assessment the control is applied to (although you can if you want to) and your justifications for inclusion or exclusion don’t need to be particularly long or wordy.
Tips for the audit
Your auditor will certainly be interested in seeing your statement of applicability and the focus will often be on those controls you have excluded, so make sure your justification is well thought through and a simple list of excluded controls is to hand (to save you searching the spreadsheet). Often the number of excluded controls is relatively small, with the most common areas of exclusion probably being around software development, resulting in maybe half a dozen non-applicable. Ensure your statement of applicability is version-controlled as it will probably change over time as your organisation evolves.
Annex A is based on the ISO27002 standard which was updated in February 2022, and a new version of the ISO27001 standard was published in October 2022, bringing Annex A up to date. The new set of controls has only four groupings and a reduced number of controls, although much of this reduction is due to existing controls being merged together so in fact no controls have actually been removed. These changes will necessitate a new version of your statement of applicability with an updated list, but you will have three years to transition to the new situation.
In summary
Hopefully we have answered the question “what is the statement of applicability in ISO27001?” at least in overview and this will be helpful in preparing for certification to the standard. Don’t forget that this is a required document and that certain information must be given within it to make it valid. If you follow these simple guidelines then you shouldn’t have a problem at audit time.
