Creating a detailed example of a "Statement of Applicability" (SoA) requires understanding its purpose within the ISO/IEC 27001:2022 framework. The SoA is a critical document for any organization implementing an Information Security Management System (ISMS) as it demonstrates which of the standard's controls are applicable to the organization and how they are implemented or justified for non-implementation.
As I cannot directly create or share files, below is an outline of how an SoA might be structured in an Excel spreadsheet format, along with examples of content for each column. You can create an Excel file following these guidelines.
Excel Spreadsheet Structure for a Statement of Applicability
Column A: Control Number example: A.5.1.1
Column B: Control Title example: Information Security Policies
Column C: Control Category example: Organizational Controls
Column D: Applicability (Yes/No) example: Yes
Column E: Justification for Inclusion example: Essential for establishing the management framework for information security.
Column F: Implementation Status (Implemented/Partially Implemented/Not Implemented) example: Implemented
Column G: Justification for Exclusion (if applicable) example: Not Applicable
Column H: Remarks example: Reviewed & approved by ISMS Committee on [date].
Example Entries for an SoA Spreadsheet
|
Control Nuber |
Control Title | Control Category | Applicability | Justification for Inclusion | Implementation Status | Justification for Exclusion | Remarks |
| A.5.1.1 | Information Security Policies | Organizational Controls | Yes | Essential for establishing the management framework for information security. | Implemented | Not Applicable | Reviewed & approved on 2023-03-15 |
| A.6.2.1 | Mobile Device Policy | Organizational Controls | Yes | Critical for managing mobile access to internal networks. | Partially Implemented | Not Applicable | Pending full rollout of MDM solution |
| A.18.2.3 | Technical Compliance Review | Compliance Controls | No | Not applicable due to the current organizational size and scope. | Not Implemented | Outside current scope | To be re-evaluated in 2024 |
Remember, the creation and maintenance of the SoA are dynamic processes. It should be reviewed and updated regularly to reflect the current status of your ISMS, especially after significant organizational changes, updates to ISO/IEC 27001, or in response to findings from internal or external audits.
