ISO 27001 – Information Security Management System is the international standard for information security, based on the way an organisation manages its security risks through processes and policies. The key point is establishing and maintaining an Information Security Management System (ISMS).
For the most part, ISO 27001 sets the security goals you need to achieve rather than telling you how to achieve those goals: it’s certainly not a box-ticking exercise. However, clause 6.1.3 d) requires an organisation to produce a document known as a Statement of Applicability that is a checklist of sorts.
The Statement of Applicability is based around a list of 114 security controls: measures designed to address specific risks. In simple terms, for each of these controls you need to say:
Note that this isn’t a scoresheet and there’s no “pass mark”. It will often be perfectly acceptable to exclude some or many of the security controls as long as you justify why they aren’t needed in your organisation.
The most common format for a Statement of Applicability is a table with one row for each control and then columns for each relevant factor. This can include the mandatory information detailed above, along with columns for your own reference such as who is responsible for implementing the control.
The Statement of Applicability brings three main benefits:
The 114 security controls are grouped into 14 security domains. These are the domains along with some notes where the categories aren’t self-explanatory.