Statement of Applicability (SoA) Template

Introduction to the Statement of Applicability

The Statement of Applicability (SoA) is one of the most critical documents in your ISO 27001 implementation. It serves as the bridge between your risk assessment and the actual security controls you implement.

What is a Statement of Applicability?

The SoA is a mandatory document that:

Lists all 93 controls from ISO 27001:2022 Annex A
Indicates which controls are applicable to your organization
Provides justification for controls marked as "not applicable"
Documents how applicable controls are implemented
Links controls to identified risks and treatment decisions
Serves as a master reference for auditors

Why the SoA Matters

For Auditors:

Primary document reviewed during certification audits
Demonstrates systematic approach to security control selection
Shows due diligence in addressing information security risks
Provides roadmap for evidence collection during audit

For Your Organization:

Creates accountability for control implementation
Helps prioritize security initiatives
Documents compliance decisions
Facilitates gap analysis and improvement planning
Ensures alignment between risks and controls

Complete SoA Structure and Template

Document Control Section

STATEMENT OF APPLICABILITY (SoA)
ISO/IEC 27001:2022

Document Information:
- Document Owner: [CISO/Information Security Manager]
- Version: [X.X]
- Last Updated: [Date]
- Next Review Date: [Date]
- Classification: CONFIDENTIAL
- Approval: [Management Representative]

Change History:
| Version | Date | Changes | Approved By |
|---------|------|---------|-------------|
| 1.0 | YYYY-MM-DD | Initial SoA | [Name] |
| 1.1 | YYYY-MM-DD | Updated controls 5.7, 8.9 | [Name] |

Executive Summary Section

## Executive Summary

This Statement of Applicability documents the information security controls
selected for implementation within [Organization Name] to manage identified
information security risks and meet compliance obligations.

### Scope of ISMS
[Your ISMS scope from context establishment]

### Risk Assessment Summary
- Total Risks Identified: [Number]
- High Priority Risks: [Number]
- Risks Requiring Control Implementation: [Number]

### Control Applicability Summary
- Total Annex A Controls: 93
- Applicable Controls: [Number]
- Not Applicable Controls: [Number]
- Implementation Status:
  - Fully Implemented: [Number]
  - Partially Implemented: [Number]
  - Planned: [Number]

Control Applicability Matrix

Organizational Controls (5.1 - 5.37)

Control #	Control Name	Status	Justification	Implementation Details	Risk ID	Evidence Reference	Implementation Date	Owner
5.1	Policies for information security	APPLICABLE	Required for governance framework	Information Security Policy v2.1 approved by Board. Published on intranet. Annual review cycle established.	ALL	POL-001, MTG-SEC-2024-Q1	2024-01-15	CISO
5.2	Information security roles and responsibilities	APPLICABLE	Essential for accountability	RACI matrix created. Job descriptions updated. Security responsibilities in all IT role descriptions.	R-003, R-012	DOC-RACI-001, HR-JD-*	2024-01-20	CISO/HR
5.3	Segregation of duties	APPLICABLE	Prevents fraud and errors	Segregation matrix implemented in ERP. Dual authorization for financial transactions >$10k.	R-007, R-015	SYS-ERP-001, POL-FIN-002	2024-02-01	CFO/CISO
5.4	Management responsibilities	APPLICABLE	Senior management engagement required	ISMS steering committee meets quarterly. Executive sponsor assigned (CFO).	ALL	MTG-ISMS-*, CHAR-001	2024-01-10	Executive Team
5.5	Contact with authorities	APPLICABLE	Regulatory reporting obligations	Contacts maintained for: Data Protection Authority, Law Enforcement, Industry Regulators.	R-023	DOC-CONTACTS-001	2024-01-25	Legal/CISO
5.6	Contact with special interest groups	APPLICABLE	Industry threat intelligence	Memberships: ISACA, (ISC)², Industry ISAC. Quarterly participation in security forums.	R-025	MEM-ISAC-001, MTG-EXT-*	2024-02-10	CISO
5.7	Threat intelligence	APPLICABLE	Proactive threat awareness	Subscriptions: CISA alerts, vendor threat feeds. Weekly threat briefings to security team.	R-025, R-026	SYS-TI-001, REP-THREAT-*	2024-02-15	Security Ops
5.8	Information security in project management	APPLICABLE	Security by design	Security review gate in SDLC. Security architect reviews all medium+ projects.	R-018, R-019	PROC-SDLC-001, FORM-SEC-REV	2024-01-30	PMO/CISO
5.9	Inventory of information and other associated assets	APPLICABLE	Asset-based risk management	CMDB implemented with 98% coverage. Asset classification schema applied.	R-001	SYS-CMDB-001, REP-ASSET-*	2024-02-20	IT Operations
5.10	Acceptable use of information and other associated assets	APPLICABLE	User behavior boundaries	AUP published and acknowledged annually by all employees. Monitored via DLP.	R-011, R-013	POL-AUP-001, SYS-DLP-001	2024-01-18	CISO/HR
5.11	Return of assets	APPLICABLE	Data protection on departure	Exit checklist includes all IT assets. Remote wipe capability for mobile devices.	R-010	PROC-EXIT-001, SYS-MDM-001	2024-01-22	HR/IT
5.12	Classification of information	APPLICABLE	Risk-based protection	4-tier classification: Public, Internal, Confidential, Restricted. Labels in email, SharePoint.	R-001, R-002	POL-CLASS-001, GUIDE-CLASS	2024-02-05	CISO
5.13	Labelling of information	APPLICABLE	Visual control indication	Email headers, watermarks, SharePoint metadata. Auto-labeling rules in place.	R-002	SYS-M365-001, CONFIG-LABEL	2024-02-08	IT/CISO
5.14	Information transfer	APPLICABLE	Secure data in transit	Encryption required for Confidential+. Secure file transfer portal. DLP monitoring.	R-004, R-022	SYS-SFTP-001, POL-TRANSFER	2024-02-12	IT/CISO
5.15	Access control	APPLICABLE	Fundamental security control	Role-based access control (RBAC) implemented. Access request workflow in ServiceNow.	R-006, R-010	SYS-IAM-001, PROC-ACCESS	2024-01-28	IT/Security
5.16	Identity management	APPLICABLE	User lifecycle management	Azure AD as identity source. Automated provisioning/deprovisioning.	R-006	SYS-AAD-001, PROC-IDM	2024-02-01	IT Operations
5.17	Authentication information	APPLICABLE	Credential security	Password policy: 12+ chars, complexity, 90-day expiry. MFA required for admin accounts.	R-008	POL-PWD-001, SYS-AAD-002	2024-02-03	IT/Security
5.18	Access rights	APPLICABLE	Least privilege principle	Quarterly access reviews. Auto-revocation of unused accounts after 90 days.	R-006, R-010	PROC-ACCESS-REV, REP-ACCESS-*	2024-02-15	IT/Security
5.19	Information security in supplier relationships	APPLICABLE	Third-party risk management	Vendor security questionnaire. SLA includes security requirements. Annual assessments.	R-020, R-021	PROC-VENDOR-001, FORM-VSA	2024-02-18	Procurement/CISO
5.20	Addressing information security within supplier agreements	APPLICABLE	Contractual protections	Standard security addendum. Right to audit. Data processing agreements for processors.	R-020, R-021	TMPL-CONTRACT-SEC, TMPL-DPA	2024-02-20	Legal/CISO
5.21	Managing information security in the ICT supply chain	APPLICABLE	Software supply chain security	SCA tools for dependencies. Vendor security ratings (BitSight).	R-027	SYS-SCA-001, PROC-VENDOR-002	2024-03-01	AppSec/CISO
5.22	Monitoring, review and change management of supplier services	APPLICABLE	Ongoing vendor oversight	Quarterly business reviews include security metrics. Change notification requirements.	R-020	PROC-VENDOR-REV, FORM-QBR	2024-03-05	Procurement/CISO
5.23	Information security for use of cloud services	APPLICABLE	Cloud-specific controls	Cloud security policy. Azure/AWS security baselines. CASB implemented.	R-024	POL-CLOUD-001, SYS-CASB-001	2024-02-22	Cloud/CISO
5.24	Information security incident management planning and preparation	APPLICABLE	Incident response capability	IRP v3.2 approved. 24/7 on-call rotation. Tabletop exercises quarterly.	R-028	PLAN-IRP-001, SCHED-ONCALL	2024-01-12	Security Ops
5.25	Assessment and decision on information security events	APPLICABLE	Event triage process	SIEM with correlation rules. Incident severity matrix. Escalation procedures.	R-028	SYS-SIEM-001, PROC-TRIAGE	2024-02-25	Security Ops
5.26	Response to information security incidents	APPLICABLE	Structured response	Incident playbooks for common scenarios. Digital forensics capability.	R-028	PLAY-*, PROC-FORENSICS	2024-03-01	Security Ops
5.27	Learning from information security incidents	APPLICABLE	Continuous improvement	Post-incident reviews mandatory. Lessons learned database. Quarterly trend analysis.	R-028	PROC-PIR, DB-LESSONS, REP-INC-*	2024-03-05	Security Ops
5.28	Collection of evidence	APPLICABLE	Legal and forensic readiness	Chain of custody procedures. Forensic toolkit maintained. Legal hold process.	R-028, R-030	PROC-EVIDENCE, KIT-FORENSICS	2024-03-08	Security/Legal
5.29	Information security during disruption	APPLICABLE	Business continuity	Security controls in BCP/DRP. Alternative processing sites maintain security posture.	R-029	PLAN-BCP-001, PLAN-DRP-001	2024-02-28	BCP/CISO
5.30	ICT readiness for business continuity	APPLICABLE	Technology resilience	RPO/RTO defined for critical systems. Backup verification monthly. Annual DR test.	R-029	DOC-RPTRTO, TEST-DR-*	2024-03-10	IT/BCP
5.31	Legal, statutory, regulatory and contractual requirements	APPLICABLE	Compliance obligations	Legal register maintained. GDPR, SOX, industry regulations mapped to controls.	R-031	REG-LEGAL-001, MAP-COMPLIANCE	2024-01-08	Legal/Compliance
5.32	Intellectual property rights	APPLICABLE	IP protection	Software license management. Copyright policy. Trade secret protection.	R-014	POL-IP-001, SYS-SAM-001	2024-02-15	Legal/IT
5.33	Protection of records	APPLICABLE	Records retention	7-year retention for financial. Legal holds tracked. Secure destruction procedures.	R-031	POL-RETENTION, PROC-DISPOSAL	2024-02-18	Legal/Records
5.34	Privacy and protection of PII	APPLICABLE	Data privacy compliance	Privacy policy. Data mapping. DPIA process. Privacy by design.	R-005	POL-PRIVACY-001, MAP-DATA, PROC-DPIA	2024-01-15	DPO/CISO
5.35	Independent review of information security	APPLICABLE	Assurance and oversight	Annual internal audit. External audit (ISO 27001). Quarterly compliance reviews.	ALL	REP-AUDIT-*, PLAN-AUDIT-2024	2024-03-15	Internal Audit
5.36	Compliance with policies, rules and standards for information security	APPLICABLE	Policy compliance	Policy acknowledgment tracking. Compliance KPIs. Exception management process.	ALL	SYS-POLICY-ACK, PROC-EXCEPTION	2024-02-10	CISO/Compliance
5.37	Documented operating procedures	APPLICABLE	Operational consistency	Procedures documented for all critical IT operations. Review cycle established.	R-017	LIB-PROC-*, PROC-MGMT-001	2024-02-20	IT Operations

People Controls (6.1 - 6.8)

Control #	Control Name	Status	Justification	Implementation Details	Risk ID	Evidence Reference	Implementation Date	Owner
6.1	Screening	APPLICABLE	Pre-employment security	Background checks for all employees. Enhanced checks for privileged access roles.	R-009	PROC-HIRING-001, VENDOR-BGC	2024-01-15	HR
6.2	Terms and conditions of employment	APPLICABLE	Contractual security obligations	Confidentiality agreements. Security responsibilities in offer letters.	R-009, R-011	TMPL-OFFER, TMPL-NDA	2024-01-15	HR/Legal
6.3	Information security awareness, education and training	APPLICABLE	Human firewall development	Annual security awareness training (95% completion). Monthly security tips. Phishing simulations quarterly.	R-011	SYS-LMS-001, REP-TRAINING-, CAMP-PHISH-	2024-02-01	CISO/HR
6.4	Disciplinary process	APPLICABLE	Accountability for violations	Security violations addressed per HR policy. Progressive discipline framework.	R-011	POL-HR-DISCIPLINE, PROC-SEC-VIOLATION	2024-01-20	HR/CISO
6.5	Responsibilities after termination or change of employment	APPLICABLE	Post-employment security	Exit procedures include access revocation, asset return. NDA survives termination.	R-010	PROC-EXIT-001, TMPL-EXIT-CHECK	2024-01-22	HR/IT
6.6	Confidentiality or non-disclosure agreements	APPLICABLE	Information protection	All employees, contractors, vendors sign NDAs. Separate NDAs for specific projects.	R-013	TMPL-NDA-*, DB-NDA-TRACKING	2024-01-15	Legal
6.7	Remote working	APPLICABLE	Distributed workforce security	Remote work security policy. VPN mandatory. Endpoint protection required. Home office security guidance.	R-016	POL-REMOTE-001, SYS-VPN-001, GUIDE-REMOTE	2024-02-05	CISO/HR
6.8	Information security event reporting	APPLICABLE	Security awareness channel	Multiple reporting channels: email, hotline, portal. Non-retaliation policy.	R-028	PROC-REPORTING, PORTAL-SEC, COMM-REPORT	2024-02-08	CISO

Physical Controls (7.1 - 7.14)

Control #	Control Name	Status	Justification	Implementation Details	Risk ID	Evidence Reference	Implementation Date	Owner
7.1	Physical security perimeters	APPLICABLE	Facility protection	Office: Badge access, reception desk, CCTV. Data center: Perimeter fencing, mantrap.	R-032	SPEC-FACILITY-001, SYS-ACCESS-CTRL	2024-01-10	Facilities
7.2	Physical entry	APPLICABLE	Access control	Badge access system. Visitor management. Access logs retained 90 days.	R-032	SYS-BADGING-001, PROC-VISITOR	2024-01-10	Facilities
7.3	Securing offices, rooms and facilities	APPLICABLE	Internal physical security	Server room: Card access + biometric. Lockable cabinets for confidential files.	R-032	SPEC-SERVER-ROOM, PROC-KEY-MGMT	2024-01-12	Facilities/IT
7.4	Physical security monitoring	APPLICABLE	Detection capability	CCTV: 30-day retention. Motion sensors in server room. 24/7 alarm monitoring.	R-032	SYS-CCTV-001, CONTRACT-ALARM	2024-01-15	Facilities
7.5	Protecting against physical and environmental threats	NOT APPLICABLE	No significant environmental risks	Office building: Commercial space with standard HVAC. Data center: All production systems in AWS with environmental controls managed by AWS. Risk R-033 rated LOW after assessment. Per risk treatment, accepted as residual risk. No company-owned data center facilities requiring environmental control systems.	N/A	RISK-R-033, AWS-CERT-SOC2	N/A	N/A
7.6	Working in secure areas	APPLICABLE	Server room procedures	Server room access log. Escort required for non-IT personnel. Clean desk enforcement.	R-032	PROC-SERVER-ACCESS, SIGN-CLEAN-DESK	2024-01-18	IT/Facilities
7.7	Clear desk and clear screen	APPLICABLE	Information exposure prevention	Clear desk policy. Auto-lock after 5 min idle. Screen privacy filters for mobile workers.	R-013	POL-CLEAR-DESK, CONFIG-SCREEN-LOCK	2024-02-01	CISO/HR
7.8	Equipment siting and protection	APPLICABLE	Asset protection	Laptops encrypted, locked down. Servers in locked rack. Cabling protected.	R-032, R-034	SPEC-EQUIP-001, CONFIG-ENCRYPTION	2024-01-20	IT/Facilities
7.9	Security of assets off-premises	APPLICABLE	Mobile asset security	Laptop encryption mandatory. Mobile device management (MDM). Remote wipe capability.	R-016, R-034	SYS-MDM-001, POL-MOBILE-001	2024-02-10	IT/CISO
7.10	Storage media	APPLICABLE	Removable media control	USB drives disabled on workstations (except approved encrypted drives). Media register.	R-035	CONFIG-USB-BLOCK, REG-MEDIA-001	2024-02-15	IT/Security
7.11	Supporting utilities	APPLICABLE	Infrastructure resilience	UPS for server room (30 min runtime). Generator for data center colocation facility.	R-029	SPEC-UPS-001, CONTRACT-COLO	2024-01-25	Facilities/IT
7.12	Cabling security	APPLICABLE	Network infrastructure protection	Structured cabling in protected conduits. Network ports disabled by default. Port security enabled.	R-036	SPEC-CABLING-001, CONFIG-SWITCH	2024-01-22	IT/Facilities
7.13	Equipment maintenance	APPLICABLE	Asset reliability and security	Maintenance contracts for critical equipment. Maintenance logs. Data sanitization before repair.	R-034	CONTRACT-MAINT-*, LOG-MAINT, PROC-SANITIZE	2024-02-05	IT/Facilities
7.14	Secure disposal or re-use of equipment	APPLICABLE	Data remanence prevention	NIST 800-88 sanitization. Certificate of destruction for drives. Asset disposal log.	R-035	PROC-DISPOSAL-001, VENDOR-DESTROY, LOG-DISPOSAL	2024-02-08	IT/Security

Technological Controls (8.1 - 8.34)

Control #	Control Name	Status	Justification	Implementation Details	Risk ID	Evidence Reference	Implementation Date	Owner
8.1	User endpoint devices	APPLICABLE	Endpoint security	EDR on all endpoints. AV with daily updates. Personal device restrictions (BYOD policy).	R-037	SYS-EDR-001, POL-ENDPOINT-001	2024-02-12	IT/Security
8.2	Privileged access rights	APPLICABLE	Administrative control	Separate admin accounts. PAM solution for privileged sessions. MFA required.	R-008	SYS-PAM-001, CONFIG-AAD-CA	2024-02-15	IT/Security
8.3	Information access restriction	APPLICABLE	Need-to-know access	RBAC enforced in all applications. Data access based on job function. SharePoint permissions.	R-006	CONFIG-RBAC-*, MAP-ACCESS-RIGHTS	2024-02-18	IT/Security
8.4	Access to source code	APPLICABLE	Source code protection	Source code in GitHub Enterprise. Branch protection. Code review required for merge.	R-018	SYS-GITHUB-001, CONFIG-BRANCH-PROT	2024-02-20	AppDev/Security
8.5	Secure authentication	APPLICABLE	Strong authentication	MFA: Required for VPN, email, cloud apps. Phishing-resistant MFA for admins (FIDO2).	R-008	CONFIG-MFA-*, SYS-AAD-CA-001	2024-02-22	IT/Security
8.6	Capacity management	APPLICABLE	Performance and availability	Resource monitoring (CPU, memory, storage). Capacity planning quarterly. Auto-scaling in cloud.	R-038	SYS-MONITOR-001, REP-CAPACITY-*	2024-03-01	IT Operations
8.7	Protection against malware	APPLICABLE	Malware defense	Endpoint: EDR + AV. Email: Advanced threat protection. Web: URL filtering.	R-037, R-039	SYS-EDR-001, SYS-M365-ATP, SYS-PROXY	2024-02-25	IT/Security
8.8	Management of technical vulnerabilities	APPLICABLE	Vulnerability management	Vulnerability scanning weekly. Patch management: Critical within 30 days. Vuln tracking in ServiceNow.	R-040	SYS-VULN-SCAN-001, PROC-PATCH, DASH-VULN	2024-03-05	IT/Security
8.9	Configuration management	APPLICABLE	Secure baselines	CIS benchmarks implemented. Infrastructure as Code for cloud. Configuration drift detection.	R-041	CONFIG-BASELINE-*, SYS-IaC, SYS-DRIFT-DETECT	2024-03-08	IT/Security
8.10	Information deletion	APPLICABLE	Data lifecycle management	Retention policy enforced. Secure deletion procedures. Certificate of destruction.	R-035	POL-RETENTION-001, PROC-DELETION	2024-03-10	IT/Records Mgmt
8.11	Data masking	APPLICABLE	Production data protection	PII masked in non-production. Test data generation tool. Dynamic data masking in SQL.	R-005, R-042	PROC-DATA-MASK, SYS-TESTDATA, CONFIG-SQL-MASK	2024-03-12	AppDev/DBA
8.12	Data leakage prevention	APPLICABLE	Information loss prevention	DLP policies for PII, PCI, IP. Email scanning. Endpoint DLP. Cloud DLP (CASB).	R-004, R-022	SYS-DLP-001, POLICY-DLP-*, SYS-CASB-DLP	2024-03-15	Security/IT
8.13	Information backup	APPLICABLE	Data availability and recovery	Daily incremental, weekly full backups. Offsite backup to cloud. Quarterly restore tests. 3-2-1 strategy.	R-043	PROC-BACKUP-001, SYS-VEEAM-001, TEST-RESTORE-*	2024-02-28	IT Operations
8.14	Redundancy of information processing facilities	APPLICABLE	High availability	Critical systems: HA configuration. Load balancers. Multi-AZ deployment in AWS.	R-029, R-038	ARCH-HA-*, CONFIG-LB, SPEC-AWS-INFRA	2024-03-18	IT/Cloud
8.15	Logging	APPLICABLE	Audit trail and detection	Centralized logging (SIEM). Logs: Authentication, admin actions, access. 1-year retention.	R-044	SYS-SIEM-001, CONFIG-LOGGING-*, POL-LOG-RET	2024-03-20	Security/IT
8.16	Monitoring activities	APPLICABLE	Security monitoring	24/7 SOC monitoring. SIEM correlation rules. User behavior analytics. Weekly security metrics.	R-044	SYS-SIEM-001, SYS-UEBA, REP-SEC-METRICS-*	2024-03-22	Security Ops
8.17	Clock synchronization	APPLICABLE	Accurate timestamps	NTP configuration on all systems. Time sync from domain controllers. Stratum 2 or better.	R-044	CONFIG-NTP-*, PROC-TIME-SYNC	2024-03-25	IT Operations
8.18	Use of privileged utility programs	APPLICABLE	Admin tool control	Restricted access to admin utilities. PAM logging of privileged sessions. Approved tools list.	R-008, R-017	SYS-PAM-001, LIST-ADMIN-TOOLS, CONFIG-APP-CONTROL	2024-03-28	IT/Security
8.19	Installation of software on operational systems	APPLICABLE	Change control and security	Change management for prod installs. Application whitelisting on servers. Admin rights required.	R-017, R-037	PROC-CHANGE-001, CONFIG-APPLOCKER	2024-04-01	IT Operations
8.20	Networks security	APPLICABLE	Network segmentation and protection	Network segmentation: DMZ, production, corporate. Firewall rules documented. VLAN isolation.	R-036, R-045	ARCH-NETWORK-001, CONFIG-FW-*, DOC-VLAN	2024-04-05	Network/Security
8.21	Security of network services	APPLICABLE	Network service hardening	Network services inventory. Unnecessary services disabled. Service hardening standards.	R-036, R-041	INV-NET-SERVICES, CONFIG-HARDENING-*	2024-04-08	Network/Security
8.22	Segregation of networks	APPLICABLE	Network isolation	Production isolated from dev/test. Guest WiFi segregated. Jump boxes for admin access.	R-036, R-045	ARCH-NETWORK-001, CONFIG-VLAN-*, SPEC-JUMPBOX	2024-04-10	Network/Security
8.23	Web filtering	APPLICABLE	Malicious content blocking	Web proxy with URL filtering. Category blocking: malware, adult, gambling. SSL inspection.	R-039	SYS-PROXY-001, CONFIG-URL-FILTER, POL-WEB-USE	2024-04-12	IT/Security
8.24	Use of cryptography	APPLICABLE	Data confidentiality and integrity	Encryption policy. TLS 1.2+ for data in transit. AES-256 for data at rest. Key management.	R-004, R-022	POL-CRYPTO-001, CONFIG-TLS-*, SYS-KMS	2024-04-15	Security/IT
8.25	Secure development life cycle	APPLICABLE	Application security	Secure SDLC policy. Security requirements in design. SAST/DAST. Security testing gate.	R-018, R-019	PROC-SDLC-001, SYS-SAST, SYS-DAST, GATE-SEC	2024-04-18	AppDev/AppSec
8.26	Application security requirements	APPLICABLE	Security by design	Security requirements template. OWASP Top 10 addressed. Threat modeling for new apps.	R-018	TMPL-SEC-REQS, CHECK-OWASP, PROC-THREAT-MODEL	2024-04-20	AppSec
8.27	Secure system architecture and engineering principles	APPLICABLE	Defense in depth	Architecture review board. Security architecture patterns. Zero trust principles.	R-046	CHAR-ARB, LIB-ARCH-PATTERNS, PRIN-ZERO-TRUST	2024-04-22	Enterprise Arch/Security
8.28	Secure coding	APPLICABLE	Code-level security	Secure coding standards (OWASP). Code review checklist. Developer security training.	R-019	STAND-SECURE-CODE, CHECK-CODE-REV, TRAIN-DEV-SEC	2024-04-25	AppDev/AppSec
8.29	Security testing in development and acceptance	APPLICABLE	Pre-production security validation	Security testing in CI/CD. Penetration testing for major releases. UAT includes security scenarios.	R-019	PIPE-CICD-001, PROC-PENTEST, PLAN-UAT-SEC	2024-04-28	AppDev/AppSec/QA
8.30	Outsourced development	NOT APPLICABLE	All development in-house currently	Organization performs all software development with internal staff. No outsourced or offshore development partners. If outsourced development is engaged in future, Risk R-047 will be reassessed and control implemented.	N/A	RISK-R-047, ORG-CHART-DEV	N/A	N/A
8.31	Separation of development, test and production environments	APPLICABLE	Environment isolation	Dev, Test, Staging, Production environments. Network separation. Separate credentials. Prod data not in dev/test.	R-042	ARCH-ENV-001, CONFIG-ENV-SEP, PROC-DATA-MASK	2024-05-01	IT/AppDev
8.32	Change management	APPLICABLE	Controlled changes	CAB approval for production changes. Change windows. Rollback procedures. Emergency change process.	R-017	PROC-CHANGE-001, SCHED-CHANGE-WINDOW, PROC-ROLLBACK	2024-05-05	IT Operations
8.33	Test information	APPLICABLE	Secure test data	Production data masking before use in test. Test data refresh procedures. Test data disposal.	R-042	PROC-TESTDATA-001, PROC-DATA-MASK	2024-05-08	AppDev/DBA
8.34	Protection of information systems during audit testing	APPLICABLE	Audit system protection	Audit testing in isolated environment or read-only access. Audit tool approval. Testing schedule coordination.	R-017	PROC-AUDIT-TEST, FORM-AUDIT-ACCESS, COORD-AUDIT	2024-05-10	Internal Audit/IT

Detailed Implementation Examples

Example 1: APPLICABLE Control with Full Documentation

Control 8.5: Secure Authentication

CONTROL IMPLEMENTATION DETAILS

Status: FULLY IMPLEMENTED
Implementation Date: 2024-02-22
Control Owner: Director of IT Security
Review Date: 2024-08-22

Risk Mapping:
- R-008: Unauthorized access due to weak authentication (HIGH)
- R-046: Account compromise leading to data breach (HIGH)

Implementation Description:
Multi-factor authentication (MFA) has been implemented organization-wide using
Microsoft Azure AD Conditional Access policies. Implementation covers:

1. User Authentication:
   - All employees: MFA required for O365, VPN, and corporate applications
   - Methods supported: Authenticator app (primary), SMS (backup), Hardware token (executives)
   - Self-service enrollment portal available
   - 99.2% enrollment rate achieved

2. Administrative Authentication:
   - Separate admin accounts for all privileged users
   - Phishing-resistant MFA required (FIDO2 security keys)
   - Admin accounts: No exception to MFA policy
   - Admin session timeout: 4 hours

3. Service Accounts:
   - Azure Managed Identities where possible (no passwords)
   - Certificate-based authentication for legacy systems
   - Regular audit of service account authentication methods

4. External Access:
   - B2B guests: MFA required via home tenant or SMS
   - API access: OAuth 2.0 with client certificates
   - VPN: MFA required before tunnel establishment

Technical Controls:
- Conditional Access Policies: 12 policies configured
- Failed auth monitoring: Alert after 5 failed attempts
- Location-based restrictions: Block high-risk countries
- Device compliance: Require managed device for Confidential data access

Evidence References:
- CONFIG-AAD-CA-001: Conditional Access policy export
- DASH-MFA-ENROLLMENT: Current enrollment dashboard
- PROC-MFA-001: MFA enrollment and support procedure
- TRAIN-MFA-USER: User training materials
- TEST-MFA-2024-Q1: MFA bypass testing results

Compliance Mapping:
- GDPR Article 32: Technical measures for security
- NIST CSF: PR.AC-7 (Users, devices, and other assets are authenticated)
- CIS Control 6: Access Control Management
- SOC 2 CC6.1: Logical and physical access controls

Metrics and KPIs:
- MFA Enrollment Rate: 99.2% (Target: >98%)
- MFA Success Rate: 97.8% (Target: >95%)
- Help Desk MFA Tickets: 23/month (Decreasing)
- Admin MFA Compliance: 100%

Gap Analysis: NONE - Control fully implemented

Next Review Actions:
- [ ] Evaluate passwordless authentication (Windows Hello for Business)
- [ ] Assess feasibility of FIDO2 for all users
- [ ] Review MFA bypass requests (currently 4 approved exceptions)

Example 2: NOT APPLICABLE Control with Justification

Control 7.5: Protecting Against Physical and Environmental Threats

CONTROL APPLICABILITY DECISION

Status: NOT APPLICABLE
Decision Date: 2024-01-15
Decision Maker: CISO (John Smith)
Approved By: COO (Jane Doe)
Review Date: 2025-01-15

Risk Assessment:
Risk R-033: "Environmental disaster damages on-premise infrastructure"
- Initial Risk Rating: MEDIUM
- Likelihood: LOW (based on facility location and building standards)
- Impact: MEDIUM (primarily availability impact)

Justification for Non-Applicability:
This control is not applicable to our organization for the following reasons:

1. Minimal On-Premise Infrastructure:
   - 95% of production systems hosted in AWS cloud
   - No company-owned data center facilities
   - No server rooms with environmental control requirements
   - Office server room: Small network equipment closet only (non-critical)

2. Cloud Provider Responsibility:
   - AWS manages environmental controls per Shared Responsibility Model
   - AWS facilities include:
     * Fire suppression systems
     * Redundant HVAC systems
     * Backup power generation
     * Flood protection measures
   - Verified through AWS SOC 2 Type II report

3. Office Environment:
   - Corporate office: Commercial building with standard HVAC
   - Building management responsible for environmental systems
   - No special environmental requirements beyond standard office conditions
   - Network closet: Standard temperature/humidity (adequate for edge equipment)

4. Risk Treatment Decision:
   - Risk R-033 re-assessed with cloud infrastructure: LOW
   - Residual risk ACCEPTED by management
   - No additional controls cost-justified

Alternative Controls Implemented:
While 7.5 is not applicable, environmental risk is addressed through:
- Control 8.14: Redundancy of information processing facilities (Cloud multi-AZ)
- Control 5.30: ICT readiness for business continuity (Cloud DR strategy)
- Control 8.13: Information backup (Geo-redundant backups)

Documentation References:
- RISK-R-033: Risk assessment for environmental threats
- AWS-SOC2-2024: AWS SOC 2 Type II Report
- ARCH-CLOUD-001: Cloud architecture diagram
- DECISION-MEMO-7.5: Management decision memorandum

Contractual Coverage:
- AWS Customer Agreement: Section 4.2 (Service Level Agreement)
- Lease Agreement Office Space: Building environmental systems
- Building Management Agreement: HVAC maintenance schedule

Review Criteria:
This control will be re-assessed as APPLICABLE if:
- Organization builds or leases data center space
- On-premise infrastructure exceeds 20% of compute capacity
- Compliance requirements mandate on-premise data processing
- Business continuity strategy changes to require on-premise DR site

Audit Trail:
| Date | Action | User | Notes |
|------|--------|------|-------|
| 2024-01-10 | Initial Assessment | Security Analyst | Marked as N/A |
| 2024-01-12 | Risk Review | CISO | Confirmed LOW risk |
| 2024-01-15 | Management Approval | COO | Accepted residual risk |
| 2024-01-15 | SoA Updated | ISMS Coordinator | Documented decision |

Control Implementation Summary by Category

Implementation Status Overview

Category	Total Controls	Applicable	Not Applicable	Fully Implemented	Partially Implemented	Planned
Organizational (5.1-5.37)	37	37	0	35	2	0
People (6.1-6.8)	8	8	0	8	0	0
Physical (7.1-7.14)	14	13	1	12	1	0
Technological (8.1-8.34)	34	33	1	28	4	1
TOTAL	93	91	2	83	7	1

Completion Percentage: 89.2% (83/93 controls fully implemented)

Partially Implemented Controls

Control	Status	Gap Description	Remediation Plan	Target Date	Owner
5.7	Threat Intelligence	Threat intelligence consumed but not fully operationalized. No automated threat feed integration into SIEM.	Integrate ThreatConnect with Splunk. Automate IOC ingestion. Train SOC on threat hunting.	2024-06-30	Security Ops Manager
5.21	Managing ICT Supply Chain	SCA tool implemented but vendor security ratings not integrated into procurement workflow.	Integrate BitSight scores into vendor approval process. Quarterly vendor security reviews.	2024-07-15	Procurement/CISO
7.4	Physical Security Monitoring	CCTV coverage incomplete in parking areas. Retention only 30 days (target: 90 days).	Install 4 additional cameras. Upgrade storage for 90-day retention.	2024-05-30	Facilities Manager
8.11	Data Masking	Test data masking procedures defined but not fully automated. Some manual processes remain.	Implement automated test data generation tool. Eliminate production data access for testing.	2024-06-15	DBA/AppDev Manager
8.16	Monitoring Activities	SIEM implemented but 24/7 coverage via third-party SOC only for critical alerts. Not all security events monitored real-time.	Expand SOC coverage to all security events. Enhance UEBA tuning. Add 3 SOC analysts.	2024-08-30	Security Ops Manager
8.24	Use of Cryptography	Encryption standards defined. Some legacy systems still using TLS 1.1. Key management centralized but no formal key rotation schedule.	Upgrade legacy systems to TLS 1.2+. Implement automated key rotation in KMS. Document crypto-period policies.	2024-07-30	IT Security Manager
8.29	Security Testing in Development	SAST integrated in CI/CD. Penetration testing ad-hoc. No regular automated DAST in pipeline.	Integrate DAST tool into CI/CD. Schedule quarterly penetration tests. Establish bug bounty program.	2024-09-30	AppSec Manager

Planned Controls (Not Yet Implemented)

Control	Status	Implementation Plan	Target Date	Owner	Budget Allocated
8.12	Data Leakage Prevention	Endpoint DLP planned but not yet deployed. Email and cloud DLP implemented.	Evaluate DLP solutions (Forcepoint vs. Symantec). POC Q2. Deploy Q3.	2024-09-30	Security Architect

Risk-to-Control Mapping

This section maps identified risks to the controls that mitigate them.

Risk ID	Risk Description	Risk Rating	Related Controls	Residual Risk	Status
R-001	Unauthorized access to confidential information	HIGH	5.9, 5.12, 5.15, 8.3	LOW	Mitigated
R-002	Inadvertent disclosure of classified information	MEDIUM	5.12, 5.13, 5.14	LOW	Mitigated
R-003	Lack of accountability for security responsibilities	MEDIUM	5.2, 5.4	LOW	Mitigated
R-004	Data interception during transmission	HIGH	5.14, 8.12, 8.24	LOW	Mitigated
R-005	Privacy violation - unauthorized PII processing	HIGH	5.34, 8.11	MEDIUM	Partially Mitigated
R-006	Excessive access rights leading to insider threat	HIGH	5.15, 5.16, 5.18, 8.3	LOW	Mitigated
R-007	Fraud due to inadequate segregation of duties	MEDIUM	5.3	LOW	Mitigated
R-008	Account compromise via weak authentication	HIGH	5.17, 8.2, 8.5, 8.18	LOW	Mitigated
R-009	Insider threat from inadequate vetting	MEDIUM	6.1, 6.2	LOW	Mitigated
R-010	Data theft by departing employee	MEDIUM	5.11, 5.15, 5.18, 6.5	LOW	Mitigated
R-011	Security incident due to user error or ignorance	HIGH	5.10, 6.2, 6.3, 6.4	MEDIUM	Partially Mitigated
R-012	Unclear roles leading to security gaps	MEDIUM	5.2	LOW	Mitigated
R-013	Information exposure via uncontrolled sharing	MEDIUM	5.10, 5.12, 6.6, 7.7	LOW	Mitigated
R-014	Software licensing violation and legal exposure	LOW	5.32	LOW	Mitigated
R-015	Financial fraud via dual-authorization bypass	MEDIUM	5.3	LOW	Mitigated
R-016	Remote work security vulnerabilities	MEDIUM	6.7, 7.9	LOW	Mitigated
R-017	Unauthorized system changes causing outage	MEDIUM	5.37, 8.18, 8.19, 8.32, 8.34	LOW	Mitigated
R-018	Insecure application design introducing vulnerabilities	HIGH	5.8, 8.4, 8.25, 8.26	MEDIUM	Partially Mitigated
R-019	Application vulnerabilities in production code	HIGH	5.8, 8.25, 8.28, 8.29	MEDIUM	Partially Mitigated
R-020	Third-party vendor security breach affecting organization	HIGH	5.19, 5.20, 5.22	MEDIUM	Partially Mitigated
R-021	Inadequate contractual security protections with vendors	MEDIUM	5.19, 5.20	LOW	Mitigated
R-022	Data exfiltration via email or web channels	HIGH	5.14, 8.12, 8.24	MEDIUM	Partially Mitigated
R-023	Failure to report security incident to regulators	MEDIUM	5.5	LOW	Mitigated
R-024	Cloud misconfiguration exposing data	HIGH	5.23	LOW	Mitigated
R-025	Emerging threat not detected	MEDIUM	5.6, 5.7	MEDIUM	Partially Mitigated
R-026	Zero-day vulnerability exploitation	HIGH	5.7	MEDIUM	Accepted
R-027	Software supply chain attack	HIGH	5.21	MEDIUM	Partially Mitigated
R-028	Security incident not properly detected and responded to	HIGH	5.24, 5.25, 5.26, 5.27, 5.28, 6.8	LOW	Mitigated
R-029	Business disruption due to IT failure	HIGH	5.29, 5.30, 7.11, 8.14	LOW	Mitigated
R-030	Evidence spoliation preventing investigation	MEDIUM	5.28	LOW	Mitigated
R-031	Regulatory non-compliance leading to fines	HIGH	5.31, 5.33	LOW	Mitigated
R-032	Unauthorized physical access to facilities	MEDIUM	7.1, 7.2, 7.3, 7.4, 7.6, 7.8	LOW	Mitigated
R-033	Environmental disaster damages on-premise infrastructure	LOW	N/A (7.5 N/A)	LOW	Accepted
R-034	Theft or loss of mobile devices containing data	MEDIUM	7.8, 7.9, 7.13	LOW	Mitigated
R-035	Data recovery from disposed equipment	MEDIUM	7.10, 7.14, 8.10	LOW	Mitigated
R-036	Network-based attack compromising systems	HIGH	7.12, 8.20, 8.21, 8.22	LOW	Mitigated
R-037	Malware infection spreading through network	HIGH	8.1, 8.7, 8.19	LOW	Mitigated
R-038	System capacity exceeded causing outage	MEDIUM	8.6, 8.14	LOW	Mitigated
R-039	Drive-by download or phishing leading to compromise	HIGH	8.7, 8.23	MEDIUM	Partially Mitigated
R-040	Exploitation of unpatched vulnerabilities	HIGH	8.8	LOW	Mitigated
R-041	Security misconfiguration exposing vulnerabilities	HIGH	8.9, 8.21	LOW	Mitigated
R-042	Production data exposure in non-production environments	MEDIUM	8.11, 8.31, 8.33	MEDIUM	Partially Mitigated
R-043	Data loss due to backup failure	HIGH	8.13	LOW	Mitigated
R-044	Insufficient logging preventing incident investigation	MEDIUM	8.15, 8.16, 8.17	LOW	Mitigated
R-045	Lateral movement after initial compromise	HIGH	8.20, 8.22	LOW	Mitigated
R-046	Architectural security weaknesses	MEDIUM	8.27	LOW	Mitigated
R-047	Outsourced development introducing vulnerabilities	N/A	N/A (8.30 N/A)	N/A	N/A

Risk Coverage Statistics

Total Risks Identified: 47
Risks with Multiple Controls (Defense in Depth): 38 (81%)
High Risks: 18
- Fully Mitigated to Low: 11 (61%)
- Partially Mitigated to Medium: 6 (33%)
- Accepted: 1 (6%)
Average Controls per Risk: 2.9

Control-to-Evidence Mapping

This section provides a comprehensive mapping of controls to the evidence that demonstrates their implementation.

Evidence Type Categories

Category	Description	Examples
POL	Policies	Information Security Policy, Acceptable Use Policy
PROC	Procedures	Incident Response Procedure, Change Management
PLAN	Plans	Business Continuity Plan, Disaster Recovery Plan
GUIDE	Guidelines	Remote Work Security Guidelines, Classification Guide
STAND	Standards	Secure Coding Standards, Configuration Standards
SYS	System Configurations	SIEM configuration, MFA settings, firewall rules
LOG	Logs and Records	Access logs, audit logs, incident tickets
REP	Reports	Vulnerability scan reports, metrics dashboards
CONTRACT	Contracts and Agreements	Vendor contracts, NDAs, SLAs
CERT	Certificates and Attestations	Training certificates, SOC 2 reports
TEST	Test Results	Penetration test reports, DR test results
MTG	Meeting Minutes	Security committee meetings, management reviews

Evidence Collection Schedule

Evidence Type	Collection Frequency	Responsible Party	Storage Location	Retention Period
Policies	Annual review	CISO	SharePoint/Policies	Permanent (versions)
Procedures	Annual review	Process Owners	SharePoint/Procedures	Permanent (versions)
System Configs	Quarterly snapshot	IT Security	Git repository	3 years
Audit Logs	Continuous	Automated	SIEM	1 year
Vulnerability Scans	Weekly	Security Ops	Vulnerability Management Tool	2 years
Training Records	Continuous	HR/Training	LMS	Employment + 3 years
Incident Reports	Per incident	Security Ops	ServiceNow	7 years
Meeting Minutes	Per meeting	Meeting Secretary	SharePoint/Governance	3 years
Test Results	Per test	Test Owner	SharePoint/Evidence	3 years
Vendor Contracts	Per contract	Procurement	Contract Management System	Contract + 7 years

Key Evidence for Audit

Critical Evidence Auditors Will Request:

Risk Assessment (R-001 through R-047)
- Location: SharePoint/ISMS/RiskAssessment/
- Last Updated: 2024-Q1
- Format: Excel with risk register, treatment plan
Asset Inventory (Control 5.9)
- Location: CMDB (ServiceNow)
- Export: REP-ASSET-INVENTORY-2024-Q1.xlsx
- Records: 1,247 assets with classifications
Access Review Evidence (Control 5.18)
- Location: SharePoint/ISMS/AccessReviews/
- Files: REP-ACCESS-REVIEW-2024-Q1.pdf (quarterly reviews)
- Attestations: Signed by data owners
Training Records (Control 6.3)
- Location: LMS (Cornerstone)
- Report: REP-TRAINING-COMPLETION-2024.pdf
- Metrics: 95% completion, test scores
Incident Log (Controls 5.24-5.27)
- Location: ServiceNow (Security Incident Module)
- Export: REP-INCIDENTS-2023-FULL-YEAR.xlsx
- Records: 47 incidents, all with post-incident reviews
Vulnerability Management (Control 8.8)
- Location: Tenable.io
- Reports: REP-VULN-SUMMARY-MONTHLY-2024-*.pdf
- Metrics: MTTR, critical patch compliance
Backup Verification (Control 8.13)
- Location: SharePoint/ISMS/Backups/
- Files: TEST-RESTORE-2024-Q*.pdf (quarterly restore tests)
- Status: All tests successful
Management Review Minutes (Clause 9.3)
- Location: SharePoint/ISMS/ManagementReview/
- Files: MTG-MGMT-REVIEW-2024-Q*.pdf
- Content: ISMS performance, improvements, objectives
Internal Audit Reports (Clause 9.2)
- Location: SharePoint/ISMS/InternalAudits/
- Files: REP-INTERNAL-AUDIT-2024-Q*.pdf
- Findings: Tracked in ServiceNow
Control Testing Evidence
- Location: SharePoint/ISMS/ControlTesting/
- Format: Testing workbook per control
- Results: Pass/Fail with screenshots

Legal, Statutory, Regulatory and Contractual Requirements

Compliance Obligations Register

Requirement	Type	Applicability	Related Controls	Evidence	Review Frequency
GDPR (EU General Data Protection Regulation)	Regulatory	EU customers' personal data	5.34, 5.31, 5.33, 8.10, 8.11	POL-PRIVACY-001, PROC-DPIA, MAP-DATA, REG-DPO	Annual
CCPA (California Consumer Privacy Act)	Regulatory	California residents' data	5.34, 5.31, 8.10	POL-PRIVACY-001, PROC-CCPA-REQUEST	Annual
SOX (Sarbanes-Oxley Act)	Regulatory	Financial reporting systems	5.3, 5.15, 8.3, 8.15, 8.32	MATRIX-SOX-CONTROLS, REP-SOX-AUDIT	Annual
PCI DSS (Payment Card Industry Data Security Standard)	Industry	Credit card processing	5.12, 5.14, 8.3, 8.7, 8.15, 8.20, 8.24	AOC-PCI-2024, SCAN-ASV-QUARTERLY	Quarterly
HIPAA (Health Insurance Portability and Accountability Act)	Regulatory	Health information (if applicable)	5.34, 8.10, 8.11, 8.24	POL-HIPAA (if applicable)	Annual
SOC 2 Type II	Attestation	Customer contractual requirement	Multiple (all applicable)	REP-SOC2-2024	Annual
State Data Breach Notification Laws	Regulatory	All 50 US states	5.24, 5.25, 5.26, 5.5	PLAN-BREACH-NOTIFICATION	Annual
ePrivacy Directive (Cookie Law)	Regulatory	Website visitors in EU	5.34	CONSENT-MGR-WEBSITE, POL-COOKIE	Annual
NIST Cybersecurity Framework	Framework	Industry best practice / customer requirement	Multiple	MAP-NIST-CSF-2024	Annual
ISO 27001:2022	Certification	Certification scope	All 91 applicable controls	This SoA, ISMS Documentation	Continuous
Customer Contractual Requirements	Contractual	Per contract	Varies by contract	CONTRACT-SEC-ADDENDUM-*	Per contract
Industry Regulations (Sector-Specific)	Regulatory	[Insert your industry regs]	[Map to controls]	[Evidence references]	[Frequency]

Compliance Mapping Matrix

GDPR Articles to Control Mapping:

GDPR Article	Requirement	ISO 27001 Controls	Implementation Notes
Art. 5	Principles (lawfulness, fairness, transparency)	5.34, 5.12	Privacy policy, data classification
Art. 15-22	Data subject rights	5.34	Privacy procedure includes rights requests
Art. 25	Data protection by design and by default	5.34, 8.11, 8.25, 8.26	Privacy requirements in SDLC
Art. 30	Records of processing activities	5.34	Data processing inventory maintained
Art. 32	Security of processing	5.34, 8.24, 8.5, 8.7, 8.13	Technical and organizational measures
Art. 33-34	Breach notification	5.24, 5.26	Incident response plan includes breach notification
Art. 35	Data Protection Impact Assessment	5.34	DPIA procedure for high-risk processing
Art. 37	Data Protection Officer	5.34	DPO appointed (Jane Smith, [email protected])

PCI DSS Requirements to Control Mapping:

PCI Requirement	ISO 27001 Controls	Implementation Notes
Req 1: Firewall configuration	8.20, 8.21	Network segmentation, firewall rules
Req 2: Secure configurations	8.9	CIS benchmarks for CDE systems
Req 3: Protect stored cardholder data	8.24, 8.10	Encryption, tokenization, data retention
Req 4: Encrypt data in transit	8.24	TLS 1.2+ for cardholder data
Req 5: Anti-malware	8.7	EDR and AV on all CDE systems
Req 6: Secure development	8.25, 8.26, 8.28	Secure SDLC for payment applications
Req 7: Access control	5.15, 8.3	Need-to-know access to cardholder data
Req 8: Authentication	8.5, 5.17	MFA for CDE access
Req 9: Physical access	7.1, 7.2, 7.3	Badge access to CDE areas
Req 10: Logging and monitoring	8.15, 8.16	SIEM monitoring for CDE
Req 11: Security testing	8.8, 8.29	Quarterly ASV scans, annual penetration test
Req 12: Information security policy	5.1	PCI security policy

Gap Analysis and Remediation Plan

Current State Assessment

Overall ISMS Maturity: Level 3 - Defined (on 5-level scale)

ISMS Component	Maturity Level	Assessment
Risk Management	4 - Managed	Regular risk assessments, treatment tracking, metrics
Policy Framework	4 - Managed	Comprehensive policies, regular reviews, enforcement
Asset Management	3 - Defined	CMDB implemented, classification applied, some gaps
Access Control	4 - Managed	RBAC, PAM, regular reviews, good compliance
Cryptography	3 - Defined	Standards defined, some legacy systems gaps
Physical Security	3 - Defined	Basic controls in place, some monitoring gaps
Operations Security	3 - Defined	Procedures defined, automation opportunities
Communications Security	4 - Managed	Strong network security, monitoring, segmentation
System Development	3 - Defined	SDLC security integrated, testing gaps
Supplier Relations	3 - Defined	Vendor assessment process, automation needed
Incident Management	4 - Managed	Mature capability, 24/7 SOC, continuous improvement
Business Continuity	3 - Defined	Plans in place, regular testing, some gaps
Compliance	3 - Defined	Requirements mapped, evidence collection manual

Identified Gaps

Priority 1 (Critical) - Target completion: Q2 2024

Gap ID	Description	Related Control(s)	Impact	Effort	Status
GAP-001	DLP not deployed on endpoints	8.12	HIGH	HIGH	Planned - Q3
GAP-002	DAST not integrated in CI/CD pipeline	8.29	HIGH	MEDIUM	In Progress
GAP-003	Incomplete CCTV coverage	7.4	MEDIUM	LOW	Funded - Q2

Priority 2 (Important) - Target completion: Q3 2024

Gap ID	Description	Related Control(s)	Impact	Effort	Status
GAP-004	Manual test data masking processes	8.11	MEDIUM	MEDIUM	Requirements phase
GAP-005	Limited 24/7 SOC monitoring scope	8.16	MEDIUM	HIGH	Budget requested
GAP-006	Legacy systems on TLS 1.1	8.24	MEDIUM	HIGH	Remediation plan drafted
GAP-007	No automated threat feed integration	5.7	MEDIUM	MEDIUM	Vendor evaluation
GAP-008	Vendor security ratings not in procurement workflow	5.21	MEDIUM	LOW	Requirements defined

Priority 3 (Enhancement) - Target completion: Q4 2024

Gap ID	Description	Related Control(s)	Impact	Effort	Status
GAP-009	No passwordless authentication	8.5	LOW	MEDIUM	Research phase
GAP-010	Manual evidence collection for audits	N/A (Efficiency)	LOW	HIGH	Discovery phase
GAP-011	No bug bounty program	8.29	LOW	MEDIUM	Policy draft
GAP-012	Limited security architecture patterns library	8.27	LOW	MEDIUM	In progress

Remediation Roadmap

Q2 2024 (Apr-Jun)

✓ Complete CCTV installation (GAP-003)
✓ Finish DAST CI/CD integration (GAP-002)
◐ Begin test data masking automation (GAP-004)
○ Start vendor security rating integration (GAP-008)

Q3 2024 (Jul-Sep)

○ Deploy endpoint DLP (GAP-001)
○ Complete test data masking automation (GAP-004)
○ Expand SOC monitoring scope (GAP-005)
○ Integrate threat feeds (GAP-007)
○ Complete vendor security integration (GAP-008)

Q4 2024 (Oct-Dec)

○ Upgrade legacy systems to TLS 1.2+ (GAP-006)
○ Implement automated evidence collection (GAP-010)
○ Evaluate passwordless authentication (GAP-009)
○ Expand architecture patterns library (GAP-012)

2025 and Beyond

Launch bug bounty program (GAP-011)
Implement passwordless authentication (GAP-009)
Achieve ISMS Maturity Level 4 across all components
Pursue additional certifications (SOC 2 Type II, ISO 27017, ISO 27018)

Budget Requirements for Gap Remediation

Gap ID	Initiative	Estimated Cost	Status
GAP-001	Endpoint DLP	$75,000	Approved
GAP-002	DAST Tool	$35,000	Approved
GAP-003	CCTV Expansion	$12,000	Approved
GAP-004	Test Data Tool	$25,000	Pending
GAP-005	SOC Expansion	$180,000/year	Pending
GAP-006	TLS Upgrade	$40,000 (consulting)	Approved
GAP-007	Threat Intel Platform	$50,000	Pending
TOTAL		$417,000 + $180k/yr

Continuous Improvement

Control Effectiveness Measurement

Each control is measured using defined KPIs:

Example: Control 8.5 (Secure Authentication)

KPI 1: MFA enrollment rate (Target: >98%, Current: 99.2%) ✓
KPI 2: MFA success rate (Target: >95%, Current: 97.8%) ✓
KPI 3: Account compromise incidents (Target: 0, Current: 0) ✓
KPI 4: Help desk MFA tickets (Target: <30/month, Current: 23) ✓

Measurement Frequency:

Real-time metrics: Dashboard monitoring (availability, security events)
Weekly metrics: Vulnerability management, incident trends
Monthly metrics: KPI reporting to security leadership
Quarterly metrics: Control testing, management review
Annual metrics: Full ISMS review, objective achievement

Improvement Sources

Internal Audits (Clause 9.2)
- Annual internal audit schedule
- Non-conformities tracked to closure
- Opportunities for improvement logged
Management Reviews (Clause 9.3)
- Quarterly ISMS performance review
- Action items assigned and tracked
- Strategic direction updates
Incident Lessons Learned (Control 5.27)
- Post-incident review for all security incidents
- Root cause analysis
- Preventive action implementation
Risk Assessment Updates (Clause 6.1.2)
- Annual comprehensive risk assessment
- Ad-hoc assessments for significant changes
- Emerging risk identification
External Assessments
- ISO 27001 surveillance audits (annual)
- Penetration testing (annual)
- Vulnerability assessments (quarterly)
Threat Intelligence (Control 5.7)
- New threat identification
- Control adaptation to evolving threats
Stakeholder Feedback
- Customer security questionnaires
- Employee security survey (annual)
- Management feedback

Improvement Register

Improvement ID	Source	Description	Priority	Status	Target Date	Owner
IMP-2024-001	Internal Audit	Automate access review attestations	Medium	In Progress	2024-06-30	IAM Team
IMP-2024-002	Incident Lessons	Enhance phishing detection rules	High	Completed	2024-03-15	Security Ops
IMP-2024-003	Management Review	Implement security metrics dashboard	Medium	In Progress	2024-05-30	CISO Office
IMP-2024-004	Risk Assessment	Assess AI/ML risks for new initiatives	High	Planned	2024-07-31	CISO
IMP-2024-005	External Audit Finding	Document exception approval process	High	In Progress	2024-04-30	Compliance
IMP-2024-006	Threat Intelligence	Implement SOAR playbooks	Medium	Planned	2024-09-30	Security Ops

SoA Maintenance and Versioning

Document Maintenance Process

Regular Review Cycle:

Quarterly: Review implementation status updates
Semi-Annually: Review risk mappings and control effectiveness
Annually: Full SoA review and approval
Ad-Hoc: Upon significant organizational or regulatory changes

Triggers for SoA Updates:

New risk identified in risk assessment
Control implementation status change
New technology or system deployment
Organizational restructuring
Regulatory requirement change
Audit finding or recommendation
Significant security incident
Merger, acquisition, or divestiture
ISMS scope change
ISO 27001 standard update

Change Management

SoA Change Procedure:

Proposed change documented with justification
Impact assessment (affected controls, risks, evidence)
Review by ISMS Coordinator
Approval by CISO
Management approval for scope or applicability changes
SoA document updated (version increment)
Affected stakeholders notified
Evidence updated accordingly
Training/communication if required
Audit log updated

Change Log (Last 5 Changes):

Version	Date	Section Changed	Change Description	Approved By
1.5	2024-03-15	Control 8.29	Updated implementation status to "Partially Implemented" after DAST integration	CISO
1.4	2024-02-28	Gap Analysis	Added GAP-007 and GAP-008 based on Q1 risk review	CISO
1.3	2024-02-01	Control 7.5	Marked as N/A after cloud migration completed	CISO/COO
1.2	2024-01-15	Evidence Mapping	Updated evidence references for Q4 2023 evidence collection	ISMS Coord
1.1	2023-12-20	Controls 6.7, 7.9	Updated remote work controls after policy revision	CISO

Version Control

Current Version: 1.5 Approved By: John Smith (CISO), Jane Doe (COO) Approval Date: 2024-03-15 Next Scheduled Review: 2024-06-15 Distribution:

Executive Leadership Team
Information Security Team
Compliance Team
Internal Audit
External Auditor (upon request)

Document Storage:

Master Copy: SharePoint/ISMS/Core Documents/SoA/
File Name: SoA-v1.5-2024-03-15.pdf
Previous Versions: Archived in SharePoint version history

Integration with Other ISMS Documents

The SoA is integrated with:

Risk Register: Risks referenced in SoA, controls referenced in risk treatment
Risk Treatment Plan: Control implementation tracked
Asset Inventory: Assets classified and protected per SoA controls
Policy Framework: Policies implement controls documented in SoA
Audit Program: Audit scope based on applicable controls
Evidence Repository: Evidence mapped to controls
Management Review: SoA updates reported to management
Internal Audit Plan: Audit schedule covers all applicable controls over 3-year cycle

Using This SoA Template

Implementation Guidance

Step 1: Customize the Template

Replace [Organization Name] with your company name
Update document control information
Adjust ISMS scope statement

Step 2: Conduct Risk Assessment

Identify your organization's information security risks
Assign risk IDs and ratings
Document in risk register

Step 3: Determine Control Applicability

Review each of the 93 Annex A controls
Decide applicable vs. not applicable based on:
- Risk treatment decisions
- Legal/regulatory requirements
- Contractual obligations
- Business requirements
- Cost-benefit analysis

Step 4: Document Applicability Decisions

For APPLICABLE controls:
- Document how implemented
- Link to risks mitigated
- Provide evidence references
- Note implementation status
For NOT APPLICABLE controls:
- Provide clear justification
- Document risk assessment decision
- Get management approval

Step 5: Map Controls to Risks and Evidence

Complete risk-to-control mapping
Complete control-to-evidence mapping
Ensure traceability

Step 6: Identify Gaps

Assess implementation status
Document gaps and create remediation plan
Prioritize based on risk

Step 7: Establish Maintenance Process

Set review schedule
Assign ownership
Integrate with other ISMS processes

Step 8: Obtain Management Approval

Present SoA to management
Obtain formal approval
Distribute to relevant stakeholders

Auditor Expectations

What Auditors Look For:

All 93 controls addressed (applicable or not applicable)
Clear justification for controls marked not applicable
Evidence of management approval for N/A decisions
Consistency between SoA, risk assessment, and risk treatment plan
Traceability from risks to controls to evidence
Implementation details sufficient to verify during audit
Regular review and updates
Version control and change management
Evidence readily available and organized
No "checkbox compliance" - genuine implementation

Common Audit Findings:

Insufficient justification for N/A controls
Controls marked "implemented" but lacking evidence
SoA not updated after organizational changes
No management approval of SoA
Incomplete risk-to-control mapping
Evidence references broken or documents not found
Implementation description too vague to verify
Controls implemented differently than documented
No review cycle established
SoA not integrated with risk assessment

Best Practices

Be Honest: Don't claim controls are implemented if they're not. "Planned" is acceptable.
Be Specific: Vague implementation descriptions won't pass audit. Provide details.
Be Consistent: Ensure SoA aligns with your risk assessment, policies, and procedures.
Be Traceable: Maintain clear links between risks, controls, and evidence.
Be Organized: Organize evidence systematically and reference it clearly.
Be Current: Keep SoA updated as your ISMS evolves.
Be Reasonable: Don't mark controls N/A just to reduce workload. Must be genuinely not applicable.
Engage Management: Management must understand and approve the SoA.
Leverage Technology: Use GRC tools to manage SoA, risks, and controls if scale justifies.
Learn from Others: Participate in ISO 27001 user groups and learn from peers.

Conclusion

The Statement of Applicability is your master control document for ISO 27001. It demonstrates:

Systematic approach to security control selection
Risk-based thinking
Management commitment
Due diligence and accountability

A well-maintained SoA makes certification audits smoother and provides ongoing value by:

Creating visibility into control implementation status
Facilitating gap analysis and improvement planning
Supporting compliance with multiple frameworks
Enabling efficient evidence collection
Serving as the foundation for control testing

Invest time in creating a comprehensive, accurate, and well-maintained SoA. It will be your primary reference throughout your ISO 27001 journey.

Next Lesson: In Lesson 3.10, we'll cover Security Objectives Template - how to define measurable information security objectives using the SMART framework and create an objectives dashboard to track progress toward your ISMS goals.