Menu
The following article is a sample template that can be used to satisfy the Statement of Applicability requirement of the ISO 27001 standard.
Legend:
REG – Control related to regulatory / certification requirement
CON – Control required due to contractual obligations
BP – Control needed according to best practices
RA – Needed due to risk identified in annual risk assessment
| Statement of Applicability (SOA) | ||||||||
| ISO/IEC 27001:2013 Annex A controls | Justification for exclusion | Justification for control inclusion | Implementation Overview | |||||
| Clause | Sec | Control Objective/Control | REG | CON | BP | RA | ||
| 5 Security Policies | 5.1 | Management direction for information security | ||||||
| 5.1.1 | Policies for information | |||||||
| 5.1.2 | Review of the policies for information security | |||||||
| 6 Organization of Information Security | 6.1 | Internal Organization | ||||||
| 6.1.1 | Information security roles and responsibilities | |||||||
| 6.1.2 | Segregation of duties | |||||||
| 6.1.3 | Contact with authorities | |||||||
| 6.1.4 | Contact with special interest groups | |||||||
| 6.1.5 | Information security in project management | |||||||
| 6.2 | Mobile devices and teleworking | |||||||
| 6.2.1 | Mobile device policy | |||||||
| 6.2.2 | Teleworking | |||||||
| 7 Human Resource Security | 7.1 | Prior to employment | ||||||
| 7.1.1 | Screening | |||||||
| 7.1.2 | Terms and conditions of employment | |||||||
| 7.2 | During employment | |||||||
| 7.2.1 | Management responsibilities | |||||||
| 7.2.2 | Information security awareness, education, and training | |||||||
| 7.2.3 | Disciplinary process | |||||||
| 7.3 | Termination and change of employment | |||||||
| 7.3.1 | Termination or change of employment responsibilities | |||||||
| 8 Asset Management | 8.1 | Responsibility for assets | ||||||
| 8.1.1 | Inventory of assets | |||||||
| 8.1.2 | Ownership of assets | |||||||
| 8.1.3 | Acceptable use of assets | |||||||
| 8.1.4 | Return of assets | |||||||
| 8.2 | Information classification | |||||||
| 8.2.1 | Classification of information | |||||||
| 8.2.2 | Labeling of information | |||||||
| 8.2.3 | Handling of assets | |||||||
| 8.3 | Media handling | |||||||
| 8.3.1 | Management of removable media | |||||||
| 8.3.2 | Disposal of media | |||||||
| 8.3.3 | Physical media transfer | |||||||
| 9 Access Control | 9.1 | Business requirements of access control | ||||||
| 9.1.1 | Access control policy | |||||||
| 9.1.2 | Access to networks and network services | |||||||
| 9.2 | User access management | |||||||
| 9.2.1 | User registration and de-registration | |||||||
| 9.2.2 | User access provisioning | |||||||
| 9.2.3 | Management of privileged access rights | |||||||
| 9.2.4 | Management of secret authentication information of users | |||||||
| 9.2.5 | Review of user access rights | |||||||
| 9.2.6 | Removal or adjustment of access rights | |||||||
| 9.3 | User responsibilities | |||||||
| 9.3.1 | Use of secret authentication information | |||||||
| 9.4 | System and application access control | |||||||
| 9.4.1 | Information access restriction | |||||||
| 9.4.2 | Secure log-on procedures | |||||||
| 9.4.3 | Password management system | |||||||
| 9.4.4 | Use of privileged utility programs | |||||||
| 9.4.5 | Access control to program source code | |||||||
| 10 Cryptography | 10.1 | Cryptographic controls | ||||||
| 10.1.1 | Policy on the use of cryptographic controls | |||||||
| 10.1.2 | Key management | |||||||
| 11 Physical and Environmental Security | 11.1 | Secure areas (Can be descoped if company is hosting their data in SaaS) | ||||||
| 11.1.1 | Physical security perimeter | |||||||
| 11.1.2 | Physical entry controls | |||||||
| 11.1.3 | Securing office, room and facilities | |||||||
| 11.1.4 | Protecting against external end environmental threats | |||||||
| 11.1.5 | Working in secure areas | |||||||
| 11.1.6 | Delivery and loading areas | |||||||
| 11.2 | Equipment (Can be descoped if company is hosting their data in SaaS) | |||||||
| 11.2.1 | Equipment siting and protection | |||||||
| 11.2.2 | Supporting utilities | |||||||
| 11.2.3 | Cabling security | |||||||
| 11.2.4 | Equipment maintenance | |||||||
| 11.2.5 | Removal of assets | |||||||
| 11.2.6 | Security of equipment and assets off-premises | |||||||
| 11.2.7 | Secure disposal or re-use of equipment | |||||||
| 11.2.8 | Unattended user equipment | |||||||
| 11.2.9 | Clear desk and clear screen policy | |||||||
| 12 Operations Security | 12.1 | Operational procedures and responsibilities | ||||||
| 12.1.1 | Documented operating procedures | |||||||
| 12.1.2 | Change management | |||||||
| 12.1.3 | Capacity management | |||||||
| 12.1.4 | Separation of development, testing and operational environments | |||||||
| 12.2 | Protection from malware | |||||||
| 12.2.1 | Controls against malware | |||||||
| 12.3 | Backup | |||||||
| 12.3.1 | Information backup | |||||||
| 12.4 | Logging and monitoring | |||||||
| 12.4.1 | Event logging | |||||||
| 12.4.2 | Protection of log information | |||||||
| 12.4.3 | Administrator and operator logs | |||||||
| 12.4.4 | Clock synchronization | |||||||
| 12.5 | Control of operational software | |||||||
| 12.5.1 | Installation of software on operational systems | |||||||
| 12.6 | Technical vulnerability management | |||||||
| 12.6.1 | Management of technical vulnerabilities | |||||||
| 12.6.2 | Restrictions on software installation | |||||||
| 12.7 | Information systems audit considerations | |||||||
| 12.7.1 | Information systems audit controls | |||||||
| 13 Communications security | 13.1 | Network security management | ||||||
| 13.1.1 | Network controls | |||||||
| 13.1.2 | Security of network services | |||||||
| 13.1.3 | Segregation in networks | |||||||
| 13.2 | Information transfer | |||||||
| 13.2.1 | Information transfer policies and procedures | |||||||
| 13.2.2 | Agreements on information transfer | |||||||
| 13.2.3 | Electronic messaging | |||||||
| 13.2.4 | Confidentiality or non-disclosure agreements | |||||||
| 14 System acquisition, development and maintenance | 14.1 | Security requirements of information systems | ||||||
| 14.1.1 | Information security requirements analysis and specification | |||||||
| 14.1.2 | Securing applications services on public networks | |||||||
| 14.1.3 | Protecting application services transactions | |||||||
| 14.2 | Security in development and support processes | |||||||
| 14.2.1 | Secure development policy | |||||||
| 14.2.2 | System change control procedures | |||||||
| 14.2.3 | Technical review of applications after operating platform changes | |||||||
| 14.2.4 | Restrictions on changes to software packages | |||||||
| 14.2.5 | Secure system engineering principles | |||||||
| 14.2.6 | Secure development environment | |||||||
| 14.2.7 | Outsourced development | |||||||
| 14.2.8 | System security testing | |||||||
| 14.2.9 | System acceptance testing | |||||||
| 14.3 | Test data | |||||||
| 14.3.1 | Protection of test data | |||||||
| 15 Supplier relationships | 15.1 | Information security in supplier relationships | ||||||
| 15.1.1 | Information security policy for supplier relationships | |||||||
| 15.1.2 | Addressing security within supplier agreements | |||||||
| 15.1.3 | Information and communication technology supply chain | |||||||
| 15.2 | Supplier service delivery management | |||||||
| 15.2.1 | Monitoring and review of supplier services | |||||||
| 15.2.2 | Managing changes to supplier services | |||||||
| 16 Information security incident management | 16.1 | Management of information security incidents and improvements | ||||||
| 16.1.1 | Responsibilities and procedures | |||||||
| 16.1.2 | Reporting information security events | |||||||
| 16.1.3 | Reporting information security weaknesses | |||||||
| 16.1.4 | Assessment of and decision on information security events | |||||||
| 16.1.5 | Response to information security incidents | |||||||
| 16.1.6 | Learning from information security incidents | |||||||
| 16.1.7 | Collection of evidence | |||||||
| 17 Information security aspects of business continuity management | 17.1 | Information security continuity | ||||||
| 17.1.1 | Planning information security continuity | |||||||
| 17.1.2 | Implementing information security continuity | |||||||
| 17.1.3 | Verify, review and evaluate information security continuity | |||||||
| 17.2 | Redundancies | |||||||
| 17.2.1 | Availability of information processing facilities | |||||||
| 18 Compliance | 18.1 | Compliance with legal and contractual requirements | ||||||
| 18.1.1 | Identification of applicable legislation and contractual requirements | |||||||
| 18.1.2 | Intellectual property rights | |||||||
| 18.1.3 | Protection of records | |||||||
| 18.1.4 | Privacy and protection of personally identifiable information | |||||||
| 18.1.5 | Regulation of cryptographic controls | |||||||
| 18.2 | Information security reviews | |||||||
| 18.2.1 | Independent review of information security | |||||||
| 18.2.2 | Compliance with security policies and standards | |||||||
| 18.2.3 | Technical compliance review | |||||||
