Statement of Applicability

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 52 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:01
less than 1.5
00:03
statement of applicability.
00:07
In this video,
00:09
we will cover
00:11
understanding what the statement of a click ability is
00:15
understanding its components and wider such an important artifact in I So 27,001, Specifically, foreign eyes mess
00:24
and understanding what needs to be included in the S o a document.
00:31
This could be one of the most time consuming documents to put together and maintain.
00:41
So what is the statement of applicability, which is also known as the S O. A document
00:49
the S O A. Indicates which controls are in and out of scope.
00:54
When they control framework is selected to support the ice amiss,
00:58
it must be noted that not all controls within a pre defined framework such as I so 27,002
01:04
on mandatory for implementation.
01:07
A large determination off controls comes from the risk profile of your organization,
01:12
the needs and expectations of interested parties.
01:15
Whether a control is a legal requirement
01:19
or whether it is based on a contract your obligation with an external stakeholder,
01:26
each control that is listed within an adopted framework such as I said 27,002
01:32
must be included in the statement of applicability and an indication provided whether this is applicable to the scope or not,
01:40
as well as why the control has been included or excluded.
01:44
The justification for inclusion can be simplistic,
01:48
while the justification for control exclusion must be sufficient and valid,
01:53
either showing it is not applicable in the operating context of the organization
01:57
or that the risk is not present due to whatever reason
02:02
the controls listed in a pre defined framework such as I So 27,000 and two
02:07
missed
02:08
the ice f standard of good practice and so forth are not exhaustive in nature. For your s o A.
02:16
The S O A. Should also include any controls which the organization has or will implement, that are unique to the organization and which is not directly covered in one of the other controls.
02:30
If you're feeling a bit last as to wear and how this fits into the icy mess,
02:37
don't worry, it will make more sense as we go through the course.
02:40
The reason for including the statement of applicability so early on in the
02:45
course is that
02:46
this document is literally one of the most important documents in your entire Isom s.
02:53
So it deserves a segment on its own.
02:59
The statement of applicability. Defiance. See controls that you will implement to support your ice, Miss
03:06
it basically states which controls are
03:08
part of your eyes, miss and which are not part of your eyes, Miss, and why,
03:14
when we go through Clauses six and eight for risk management,
03:17
this will make a lot more sense.
03:29
As you mentioned previously
03:30
on your statement of applicability. You will need to provide a justification for each control as to why it is either included or excluded.
03:38
This could be quite a lot of work when you consider that the I. So 27,000 and two
03:45
also known as an extra a body of controls,
03:47
consists of 114 controls,
03:53
not including your own custom controls.
03:55
So that's quite a lot of work to go through each one of these controls and determine
04:00
is this applicable to your organization? Isn't it applicable and why? For each of those
04:08
for controls that are included, the reasoning will relate to how this control serves to mitigate or modify a specific risk or multiple risks.
04:17
This will tie back into your risk assessments so ensure that there is consistency between the two.
04:25
It could be extra hopeful to include explicit references between your statement of applicability and risk register
04:31
so that mitigating controls and the risk bridges that link to specific controls in your statement of applicability
04:39
in your statement of applicability controls contain the specific numbers or whatever identify you want to use for risks in the risk register.
04:48
In other words, your statement of applicability and risk register cross reference each other.
04:55
There is no point, including controls or trying to implement controls that are not going to serve any purpose,
05:00
and we'll just end up incurring additional time and cost. Resource is,
05:05
it is perfectly OK to exclude certain controls from your statement of applicability
05:11
as long as the justification is sufficient.
05:15
For example,
05:16
controls that pertain to outsource development might not be applicable to your organization.
05:23
If you do not use an outsourced
05:25
software development provider,
05:28
however,
05:30
use the access controls are probably applicable to your organization, and excluding those would probably not going down that well with an auditor
05:39
unless you have some very good reason as to why they are not applicable.
05:50
To give you an example off. What
05:54
a statement of applicability layout looks like. This is a simple table to give you a general idea. Yuk undocumented this in whatever you want.
06:02
Generally, it's done in an Excel sheet or somewhat at the table format,
06:08
as it is the easiest way to maintain the data and include the references that you need.
06:14
What you need to do is list all the controls in the controls framework you are adopting, whether it's 27,002, nursed whatever you're using, as well as any custom controls that your organization may have.
06:28
You can also include additional columns in your statement of applicability that make it easier to manage within the organization.
06:35
If, for example, you have specific personnel responsible for certain controls,
06:41
you could list that here to demonstrate ownership and how many people are involved in the ice and this controls.
06:46
You can also link the controls to any project plans or risk treatments that are currently ongoing
06:51
to indicate that tracking on these is being performed.
06:59
So as you can see from this example,
07:00
it's based to include a control number or some sort of reference to the control.
07:05
If you're using a pre defined framework. These will generally come with a pre configured or established control number.
07:14
The control, objective and description is useful to
07:17
show what purposely control is serving in the organization
07:24
indicate whether or not the control is included or excluded in your scope.
07:30
For each inclusion or exclusion,
07:33
a justification should be present
07:38
when they control needs to be included.
07:41
There will be some or other risk that it is mitigating.
07:46
It is up to you how to just yet.
07:47
Excuse me, document the justification.
07:50
You can either write this out in your own words.
07:55
All right, it out in your own words,
07:57
including a reference to your risk
08:00
that it is mitigating
08:01
or simply linked to your risk register and the corresponding risk.
08:07
Another important components include is the current status of the control.
08:13
Not all controls will be at this at the same level, meaning some controls may be fully implemented, while others are only partially implemented or not implemented at all.
08:26
If possible.
08:28
Providing mawr quantitative
08:31
determination, off control status,
08:35
for example, a control that is partially completed
08:37
to 80% versus a control that is partially completed to 30%
08:43
is quite a big difference.
08:45
so if you have that information available, rather included and provide
08:50
just an extra,
08:50
but it will definitely help you if you go through a certification ordered
09:01
to summarize.
09:03
In this lesson, we covered what the statement of applicability is
09:07
and what it is used for in your items.
09:11
Why controls need to have justifications both for being included as well as excluded.
09:18
We also took a brief look at a simple statement of applique ability, layout
09:24
and the minimum required components that should be included
09:28
again. This is one of the most important pieces of documentation that will come out of your eyes amiss.
09:35
It is loosely tied to close 6.1 point three,
09:39
and that is where the
09:41
statement of applicability will most likely come out from. Once you have done your initial risk assessment and determined your risk treatments.
Up Next