ISO 27001 is the international standard for information security, based on the way an organisation manages its security risks through processes and policies. The key point is establishing and maintaining an Information Security Management System (ISMS).
For the most part, ISO 27001 sets the security goals you need to achieve rather than telling you how to achieve those goals: it’s certainly not a box-ticking exercise. However, clause 6.1.3 d) requires an organisation to produce a document known as a Statement of Applicability that is a checklist of sorts.
How It Works
The Statement of Applicability is based around a list of 114 security controls: measures designed to address specific risks. In simple terms, for each of these controls you need to say:
- whether you’ve incorporated the control into your ISMS;
- the reason you’ve included or excluded it; and
- if you have included it in the ISMS, whether or not you are actually using it.
Note that this isn’t a scoresheet and there’s no “pass mark”. It will often be perfectly acceptable to exclude some or many of the security controls as long as you justify why they aren’t needed in your organisation.
The most common format for a Statement of Applicability is a table with one row for each control and then columns for each relevant factor. This can include the mandatory information detailed above, along with columns for your own reference such as who is responsible for implementing the control.
The Statement of Applicability brings three main benefits:
- It helps focus your mind while working on the ISMS and makes sure you don’t miss any security controls that could be useful or necessary.
- It gives ISO auditors a list of the security controls you are using, making it more straightforward to check whether each control is being carried out as planned.
- It can cut down on paperwork as in some cases you can cover the entire procedure for a specific security control in the Statement of Applicability itself rather than needing a separate document.
The 114 security controls are grouped into 14 security domains. These are the domains along with some notes where the categories aren’t self-explanatory.
- Information security policies
- Organisation of information security (includes mobile devices and teleworking)
- Human resource security (before, during and after a worker’s employment)
- Asset management (includes physical media)
- Asset control
- Physical and environment security
- Operations security (including backups, monitoring and malware)
- Communications security
- System acquisition, development and maintenance (includes test data)
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management (includes intentional redundancy to protect against interruptions)
- Compliance (includes legal and contractual requirements)