The Statement of Applicability (SoA) is a step you will complete as part of the Register and Modules.
The Statement of Applicability is closely connected to the Register of Legal, Regulatory, and Contractual Requirements and the Risk Register. All your work in the previous steps is visible in the Statement of Applicability.
Accessing Statement of Applicability
There are 2 ways to access the Statement of Applicability:
- Through the Statement of Applicability step in the Implementation steps;
- Through Registers and Modules.
Accessing through Statement of Applicability
Follow these steps to access the Register of Requirements:
- Go to Compliance and select Implementation steps;
- Find the Statement of Applicability and click the step or the ARROW button;
- From the step, click the Open Register button.
Accessing through Registers and Modules
Follow these steps to access the Statement of Applicability:
- Click on Registers and Modules in the menu;
- Click the Go To Register button on the Statement of Applicability module.
Statement of Applicability Overview
The Statement of Applicability is divided into the following sections:
- SoA Setup;
- Risk Treatment Plan;
- Resource Approval;
- Risk Owner Approval.
SoA Setup
After opening the Statement of Applicability, you will see the list of 93 controls suggested by ISO 27001. Here, you should fill out the following information for each control:
- Decide if the control is applicable;
- Justify the control;
- Select the implementation method.
Most of the data here will already be inputted based on the risks and requirements you identified in the Register of Legal, Regulatory, and Contractual Requirements and the Risk Register.
Applicable Controls
If a control is selected as applicable, you will need to implement it if it’s not already implemented.
If Conformio marked control as applicable by default, related risks or requirements were identified during your ISO 27001 project and are listed in the Justification column. If you decide the control is not applicable, click the toggle button to change the color from green to grey, marking the control as not applicable.
If control was selected as not applicable by default, no related risks or requirements were identified. If you decide to implement this control, or if it is already implemented in your company, click the toggle button to change the color from gray to green, marking the control as applicable.
Justification of Controls
Conformio automatically identifies the related risks (from the Risk Register) and requirements (from the Requirements Register) in the Justification column of each control. If necessary, you can add or change the text by clicking on the Justification box.
For every applicable control, a justification must be provided.
For controls that are not applicable, Conformio suggests an answer for justification. If necessary, you can change the suggested text.
Implementation method
If a control is applicable, you need to describe how the control will be implemented – it can be in the form of a document, a task, or a textual description.
Conformio automatically suggests some implementation methods, and you can add additional documents, tasks, or text that define what you plan to implement.
For every applicable control, the implementation method must be provided.
If you added a task (both default and the ones you added), you should assign a responsible person for that task.
In some cases, you may need to adapt your implementation method manually to your specific needs.
For each applicable control, Conformio may suggest 3 different implementation methods:
- A document that will describe the implementation (e.g., Access Control Policy);
- A task (e.g., the System Administrator will implement the XYZ backup system);
- A guideline (e.g., Roles and responsibilities for Information Security are listed in various ISMS documents).
It is up to you to decide how many methods to implement the control you need, and you can choose from the documents Conformio offers or your custom document.
Once you have completed the Statement of Applicability, the added documents will be shown as steps in the Implementation steps.
For controls marked as not applicable, you can leave the Implementation method section empty. In the Justification field, you can use the generated note written by Conformio or write your own comment (e.g., “There are no risks or requirements for this control.”).
Once you’ve reviewed your controls and all entered information, click the Next Step – Risk Treatment Plan button to proceed further.
Already Implemented Controls
Before opening the next step, a pop-up screen will show, asking you if you have already implemented some of the controls before attempting to define the Risk Treatment Plan. The controls you mark as implemented here will automatically be marked as implemented once you complete the Statement of Applicability.
To confirm the entries, click the Proceed button.
By clicking the Proceed button, the Statement of Applicability document is automatically generated. It can be found under Related Documents or in the folder Lists, Reports, Statements and Plans in the Document Explorer.
Implementation Status of Controls
Implementation statuses in the main SoA table will change automatically during your implementation.
Conformio automatically changes the status from Planned to Under implementation when you start working on a document listed as the implementation method of particular control. Once you complete all the documents and tasks related to the implementation of control, the status will change automatically to Implemented.
Risk Treatment Plan
In the Risk Treatment Plan, you need to define the following:
- Deadline for each implementation method;
- Assignee;
- Resource(s) for implementing all tasks and policies needed to be set up to mark not-yet-implemented controls as implemented.
Resource Approval
After defining a deadline, an assignee, and at least one resource, click the Send For Approval button to send defined resources for approval.
The Resource Approver is the person you defined in the Job titles. We recommend the Resource Approver to be the person holding the Sponsor role or someone from upper management.
After clicking the Send for Approval button, the Risk Treatment Plan will change its status to Resource Approval in Progress.
To approve resources, the Resource Approver you defined needs to open the Tasks assigned to me in the My Work section. The deadline for approving resources is 2 days.
To approve the resource, click the Approve button.
To reject the resource, click the Reject button.
Note: If you are not the Resource Approver, you cannot approve them.
If the resource was rejected, or the Resource Approver missed the 2-day deadline for approval, the Risk Treatment Plan will have to be sent for approval once more with the required changes done.
Risk Owner Approval
After approving the resources, the Statement of Applicability status will change to Risk Owner Approval In Progress, and all approved resources will have a green mark next to them.
To approve the Risk Treatment Plan, the Risk Owner needs to open the Tasks assigned to me in the My Work section. The deadline for approving the Risk Treatment Plan is 2 days.
To approve the Risk Treatment Plan, click the Approve button.
To reject the Risk Treatment Plan, click the Reject button.
If there are multiple Risk Owners, they all must approve the Risk Treatment Plan. If any of them rejects the Risk Treatment Plan or misses the 2-day deadline for approval, it will have to be re-sent for Resource Approval by the person responsible for the Statement of Applicability.
When all Risk Owners of unacceptable risks (you only work with unacceptable risks) have accepted the Risk Treatment Plan, the document Risk Treatment Plan (with current date stamp) is generated and stored in the folder Lists Reports Statements Plans in the Documents Explorer.
Statement of Applicability Completed
When opening the Statement of Applicability after all the steps are done, the SoA Setup will show as completed, and generated documents will be visible under Related Documents in the Wizard.
After the Statement of Applicability is completed, all new Conformio documents selected as Implementation Methods in the Risk Treatment Plan will be available as steps in the Implementation steps.
Making Changes to the Statement of Applicability
If you make changes to the Register of Legal, Regulatory, and Contractual Requirements or the Risk Register, a task will be created for you to review the changes reflected in the Statement of Applicability module.
If there are no changes to the Justification or the Implementation Method, click the Changes Are Not Needed button to end the review.
If you need to change the implementation method for specific controls, you can edit the text, add more documents, or add a task in the Implementation method box. By doing this, the Changes Are Not Needed button will disappear, and you will have completed the review of that control.
Frequently Asked Questions:
1. How is the Risk Treatment Plan related to the Statement of Applicability?
For controls marked as applicable in the Statement of Applicability (but not implemented), you have to define how you intend to implement them in the Risk treatment plan.
In other words, the Statement of Applicability shows your company’s security profile by defining which controls are applicable, why, and what their status is, and the Risk treatment plan is an implementation plan that describes the responsibilities, deadlines, and resources needed for the implementation of controls.
2. How to select an implementation method for controls in the Statement of Applicability?
Conformio automatically suggests the implementation method for each control in the Statement of Applicability – either by suggesting a policy, a task, or a general guideline for implementation.
Overall, there are 3 ways to describe the implementation of a control in the Statement of Applicability:
- Refer to a security policy or procedure that describes the implementation details (this is the most common method);
- Describe a task of what needs to be implemented;
- Provide a general guideline for the implementation.
3. Who should participate in writing the Statement of Applicability?
The best practice in smaller companies is that the “Statement of Applicability” is written by a person in charge of ISO 27001 implementation (e.g., the ISO 27001 project manager, the CISO, etc.). This person is usually in the best position to collect all the information from other departments and fill it into the module.