“The SOA can easily be produced by examining the risk assessment to identify the necessary controls and risk treatment plan to identify those that are planned to be implemented. Only controls identified in the risk assessment can be included in the SOA. Controls cannot be added to the SOA independent of the risk assessment. There should be consistency between the controls necessary to realize selected risk treatment options and the SOA. The SOA can state that the justification for the inclusion of a control is the same for all controls and that they have been identified in the risk assessment as necessary to treat one or more risks to an acceptable level. No further justification for the inclusion of a control is needed for any of the controls.”
This paragraph from ISO 27005 explains the relationship between the Statement of Applicability (SoA) and the risk assessment process in an ISO 27001-based Information Security Management System (ISMS). Here’s a breakdown of the key points:
- SoA Derivation from Risk Assessment
- The SoA must be based on the risk assessment and risk treatment plan.
- It should only include controls that were identified as necessary during the risk assessment.
- Organizations cannot arbitrarily add controls to the SoA without a corresponding risk justification.
- Consistency with Risk Treatment Plan
- The SoA must align with the selected risk treatment options.
- This ensures that the controls listed in the SoA effectively address the identified risks.
- Justification for Controls
- The SoA can state that all controls were chosen because they are necessary for risk treatment.
- No separate or additional justification is needed for each individual control beyond its necessity in treating risks.
Why This Matters:
- Ensures a risk-driven approach to control selection.
- Prevents the arbitrary inclusion of unnecessary controls, which could lead to inefficiencies.
- Helps in audits and compliance by clearly showing the link between risks, treatments, and controls.
Practical Example of SoA and Risk Assessment Linkage
Scenario:
A company conducts a risk assessment as part of its ISO 27001 implementation and identifies the following risk:
- Risk: Unauthorized access to sensitive customer data due to weak authentication mechanisms.
- Risk Level: High
- Risk Treatment Plan: Implement multi-factor authentication (MFA) to reduce the risk to an acceptable level.
How This Affects the SoA:
- Control Selection:
- The company refers to Annex A of ISO 27001 and identifies Control A.9.4.1 (Use of Secure Authentication Mechanisms) as necessary to mitigate the risk.
- This control is added to the SoA because the risk assessment identified it as necessary.
- Justification in the SoA:
- The SoA will list A.9.4.1 – Secure Authentication Mechanisms as an included control.
- The justification can be:
“This control has been identified as necessary in the risk assessment to mitigate the risk of unauthorized access to customer data.” - No additional justification is needed because the link to the risk assessment is sufficient.
- What Cannot Be Done:
- The company cannot arbitrarily add a control, such as A.14.2.9 (Protection of Test Data), unless it was identified as necessary in the risk assessment.
- Adding controls without risk justification would violate ISO 27005’s requirement for consistency.
Key Takeaways:
- Every control in the SoA must be traceable to a risk.
- The SoA cannot contain controls that were not justified in the risk assessment.
- Justification for controls can be standardized, reducing documentation overhead.
This approach ensures that the ISMS remains risk-based, justifiable, and auditable.
DISC InfoSec Previous posts on ISO27k
ISO certification training courses.
Difference Between Internal and External Audit
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
March 12th, 2025 10:35 am
[…] Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Appli… […]
March 19th, 2025 8:51 am
[…] Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Appli… […]
April 2nd, 2025 9:29 am
[…] Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Appli… […]
April 5th, 2025 3:10 pm
[…] Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Appli… […]
April 11th, 2025 12:23 pm
[…] Is a Risk Assessment required to justify the inclusion of Annex A controls in the Statement of Appli… […]