Practical Statement of Applicability
The ISO 27001 standard requirement that relates to the Statement of Applicability (SoA) sounds like this:
“Produce a Statement of Applicability that contains: ?the necessary controls, justification for their inclusion, whether the necessary controls are implemented or not and the justification for excluding any of the Annex A controls.” (6.1.3 d)
No wonder, that the requirement for this document was placed in the risk treatment section. The main purpose of this document is to present and reason included and excluded controls to maintain acceptable security. No need to include standard body requirements, as you cannot omit them, but Annex A controls you can. Standard exclusions are important; they are always presented on the certificates issued by certification bodies. As there are many controls in ISO 27001, an exclusion list could be lengthy, so the current edition of the SoA is referred to on the certificates instead.
The standard itself states that the control list in Annex A is not exhaustive; additional controls may need to be introduced to achieve a satisfactory security level. Should these controls be included in the SoA? There is no explicit statement on this in the standard, but its wording and common sense suggest that it should. Every control that is deemed to be necessary shall be defined, implemented, operated, and audited. Additional ones are no exceptions.
Who is the SoA for? Sometimes auditors request to describe the main purpose and usage of all applied controls in the SoA due to the requirement on the justification of necessary controls. But it is quite a big task while the average workforce members are aware of the purpose and importance of malware protection and physical security perimeter. What personnel really need is to know how these are implemented at their organization and what rules they need to follow. And these are in the policies. So, it is feasible to include policy references in the SoA as justification of controls. It is a great help for those responsible for the operation and auditing of the ISMS. Workforce members may also use it as an index, although most of them don’t even know of the existence of this document. If the ISMS documentation is well structured and available, the workforce will not need the SoA to find rules they need to comply with.
Is the SoA rather dynamic or static? As the current edition of the SoA is referred to on the certificate, an update will require the replacement of the certificate. At additional cost. The more details you add to the SoA on the controls, the more often it may change. The additional advantage of adding policy references to the SoA is that you can fine-tune controls in the policies without touching the SoA. You will need to update it only if a control is included or excluded. And this is what the SoA is for.