1.3 KiB
About the Statement of Applicability
In essence, the Statement of Applicability shows the outcome of the risk treatment process (6.1.3a). It is usually presented as a table of Annex A controls, together with a short explanation for the selection or exclusion of each, and its implementation status.
This follows directly from Clause 6.1.3d, that demands that the Statement of Applicability contains:
- the controls that are necessary to implement the chosen risk treatments, including the rationale for their selection
- the status of their implementation ("whether the necessary controls are implemented or not")
- the reason for exclusion of any and all other controls from Annex A.
Though ISO 27002 offers guidelines for the implementation of the controls from Annex, the organization is free in their design. The organization is also free to identify them "from any source", so you could also include controls from for instance XXX or YYY.
One is generally advised to "Comply or Explain", which means you implement all controls from Annex A in some form, or you explain why you don't need to, based on your risk analysis and chosen risk treatment.