Unravel the puzzle of non-applicable controls in your Statement of Applicability
Jessica Doering

April 8, 2024

-

3

 min reading time

Identify non-applicable controls in Statement of Applicability (SOA)

In a nutshell: In the field of information security management systems (ISMS), the statement of applicability (SOA) plays a decisive role!

The Statement of Applicability is a document that describes the controls selected by an organization to mitigate the information security risks identified during the risk assessment process. However, not all controls are universally applicable to every organization, and identifying non-applicable controls is a critical aspect of developing an effective SOA.

Understanding the Statement of Applicability

The Statement of Applicability is an integral part of ISO 27001. It provides a clear roadmap for organizations to identify and implement controls that are relevant to their specific context, taking into account the organization's size, industry, regulatory environment and unique risk context.

Key Elements of the Statement of Applicability

Scope Definition:

The first step in creating an effective SOA is defining the scope of the ISMS. This involves determining the boundaries of the information security management system and understanding the organizational context.

Risk Assessment:

Conducting a thorough risk assessment is crucial for identifying potential risks to information security. This assessment serves as the foundation for selecting and tailoring controls to address the organization's specific risk landscape.

Control Selection:

Controls are selected based on the identified risks. However, not all controls from the ISO 27001 standard may be applicable to every organization. Some controls may be irrelevant, unnecessary, or duplicative in certain contexts.

Identifying Non-Applicable Controls

Relevance to Business Processes:

Assess each control in the context of the organization's business processes. Controls that do not align with the nature of the business may be deemed non-applicable.

Regulatory Compliance:

Consider the industry-specific regulatory environment. Controls that are mandated by regulations irrelevant to the organization may be considered non-applicable.

Risk Tolerance:

Evaluate the organization's risk tolerance. Controls that address risks below the organization's risk acceptance criteria may be considered excessive and non-applicable.

Redundancy:

Identify controls that duplicate efforts or address the same risk. Redundant controls may be streamlined or excluded from the SOA.

Resource Constraints:

Consider the organization's resource constraints. Controls that require resources beyond what the organization can reasonably allocate may be deemed non-applicable.

Documenting Non-Applicable Controls

Clear Justifications:

Provide clear justifications for excluding each non-applicable control. This ensures transparency and understanding during internal and external audits.

Regular Review:

The identification of non-applicable controls is not a one-time activity. Regularly review the SOA in conjunction with changes in the organization's context, risks, and regulatory landscape.

Thus, developing an effective applicability statement is a dynamic process that requires careful consideration of the organization's unique circumstances. Identifying and documenting non-applicable controls is not only a requirement for ISO 27001 compliance, but also a strategic approach to ensure that the ISMS remains tailored to the organization's specific needs and risks. 

Regular reviews and updates of the SOA contribute to the ongoing effectiveness of the information security management system.

Focus on building Security with Compliance in the background

Secfix has the largest EU auditors network and minimizes time, effort and cost through its platform.

Book consultation

non-binding and free of charge

Other Articles

How to find experts who understand regulatory ISO 27001 compliance

How to find an Internal Auditor

Find a skilled internal auditor who is tailored to your company's needs

ISO 27001

ISO 27001:2013 vs ISO 27001:2022 Controls

Key Changes in ISO 27001:2013 to ISO 27001:2022 Controls

Adapting ISO 27001 Controls: A Transition from 2013 to 2022

ISO 27001

ISO 27001:2022

ISO 27001:2013

Gaining Insight into Third Party Vendor Security

Understanding Vendor Security Risks

Unraveling the Landscape of Vendor Security Risks

ISO 27001

Vendor management

Mastering Vendor Management in ISO 27001

How to approach effective Vendor Management in ISO 27001

Secure Partnerships: Elevating Your Business through Superior Vendor Management

ISO 27001

Vendor management

Implementation of ISO 27001 Risk Management

How to approach risk management in ISO 27001

Strategically navigating and mitigating risks is a crucial aspect of effective management

ISO 27001

Risk management

TISAX®: Main benefits for your company

TISAX®: Who needs it and why

A TISAX certification is mandatory for any organization engaging with key stakeholders in the German automotive industry

TISAX

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet!

ISO 27001

ISO 27001
ISO 27001