MorganHill helps organizations in developing highly customized, well-written ISO/IEC 27001 Statement of Applicability (SoA) documentation.  An ISO/IEC 27001 Statement of Applicability (SoA) is a document that is an essential part of an organization's Information Security Management System (ISMS) based on the ISO/IEC 27001 standard. The purpose of the SoA is to define the scope of the ISMS and specify the controls that are applicable to the organization's information security.

 A well-written SoA, such as one provided by MorganHill, includes the following information: 

• Introduction: This section provides an overview of the SoA and its purpose. Additionally, it often includes details about the organization's commitment to information security and compliance with ISO/IEC 27001.
  
  
• Scope: The scope section defines the boundaries of the ISMS, indicating the organizational units, processes, locations, and all in-scope assets covered by the system.
  
  
• Normative references: This section lists any external documentation or standards referenced within the SoA.
  
  
• Control Objectives and Controls: The SoA outlines the control objectives and the corresponding controls that the organization has implemented to address the identified risks. These controls are based on Annex A of the ISO/IEC 27002:2022 standard, which provides a comprehensive list of security controls across different domains, such as access control, asset management, cryptography, incident management, etc.
  
  
• Justification for Exclusions: If the organization decides to exclude any controls from the Annex A controls, this section explains the rationale behind such exclusions.
  
  
• Applicability of Controls: The SoA specifies whether each control is applicable and implemented within the organization. Specifically, it should indicate that a control is fully implemented, partially implemented, or not implemented, based on the organization's risk assessment and business requirements.
  
  
• Supporting Information: This section may include any additional details or references that support the applicability of controls.

The SoA serves as a crucial reference document during an organization’s journey towards ISO/IEC 27001 certification.  It demonstrates the organization's commitment to information security by outlining the controls implemented to protect its assets and manage risks effectively. An SoA should be regularly reviewed and updated in order to reflect changes within an organization's information security landscape - specifically - for changes to any in-scope Annex A controls found within the ISO/IEC 27002: 2022 standard.

Begin your ISO/IEC 27001 journey today with our industry leading ISMS 27001 Scoping & Gap Assessment Workbook.  Our comprehensive, in-depth ISMS 27001 Scoping & Gap Assessment Workbook will help organizations clearly define the scope of their Information Security Management System (ISMS) as required by ISO/IEC 27001.

Also, we offer industry leading security documentation for helping organizations develop all required Information Security Management System (ISMS) policies, procedures, programs, and plans in accordance with ISO/IEC 27001 & 27002.

Additional documentation offered includes a wide range of ISO specific InfoSec, cybersecurity and data privacy documents, along with an industry leading Risk Assessment Program, Statement of Applicability Workbook, Internal Audit Program, Continuous Monitoring Program, and so much more.