Skip to content

Step-by-Step Instruction for reviewing SoA for ISO 27001:2022

Photo by Maxime Lebrun / Unsplash

As you transition to ISO 27001:2022, a crucial step involves revising your Statement of Applicability (SoA) to align with the updated standard. Reviewing the Statement of Applicability (SoA) for ISO 27001:2022 requires a thorough and methodical approach. To assist you in this process, here is a comprehensive step-by-step guide:

Re-Evaluate Risks, Threats, and Vulnerabilities:

    • Begin by re-assessing your organization’s risks, threats, and vulnerabilities. This involves identifying potential security issues that could impact your information assets.
    • Use a structured approach like a risk assessment matrix to categorize and prioritize risks based on their likelihood and impact.

Prioritize High-Risk Areas:

    • From the risk assessment, identify which risks rank highest in terms of priority. High-priority risks typically have a high likelihood of occurrence and/or a high impact on the organization.
    • Focus on risks that could lead to significant financial loss, legal issues, business disruption, or damage to reputation.

Map Applicable Controls:

    • For each high-priority risk, identify relevant controls from ISO 27001:2022 that can mitigate these risks.
    • Pay special attention to the 11 new controls introduced in the 2022 revision, as they may address emerging threats and technological advancements.

Update the Statement of Applicability:

    • Update your SoA to reflect the current risk environment and the controls you’ve chosen to implement.
    • The SoA should clearly state whether each control is applicable or not, and provide a justification for this decision.

Document Justifications for Control Choices:

    • For each control, document why it has been selected or omitted. This is crucial for demonstrating your decision-making process during audits.
    • Include considerations such as the effectiveness of the control against specific risks, cost-benefit analysis, and legal or regulatory requirements.

Review Organizational Context:

    • Consider any changes in the organizational context that might affect the SoA, such as new business operations, changes in legal requirements, or technological advancements.

Engage Stakeholders:

    • Consult with various stakeholders, including IT, legal, HR, and operations, for a comprehensive view of risks and controls.
    • Their input can provide insights into practical aspects of implementing certain controls and how they align with business objectives.

Conduct a Gap Analysis:

    • Perform a gap analysis between the current state of information security and the desired state as per the SoA.
    • This will help identify areas where additional measures are needed to meet the standard's requirements.

Plan for Implementation or Improvement:

    • Based on the gap analysis, develop a plan to implement new controls or improve existing ones.
    • Set clear timelines and responsibilities for implementing the controls.

Monitor and Review Regularly:

    • Regularly monitor the effectiveness of implemented controls and make adjustments as necessary.
    • The SoA should be a living document, reviewed and updated regularly to reflect changes in the risk environment or the organization.

Remember, the process of reviewing the SoA is not a one-time activity but a continuous process that evolves as the organization and its external environment change.