The Statement of Applicability (SoA) is a key document that defines how an organization implements much of its cyber security.
The statement describes which of the controls recommended by ISO 27001 are implemented in the organization, how they are implemented, and the current state of the controls. In addition, possible reasons for not using certain controls are described.
The organization has defined procedures for assessing and treating cyber security risks. The definition includes at least:
The task owner regularly checks that the procedure is clear and produces consistent results.
The organization proactively seeks to list and assess the likelihood and severity of various cyber security risks. The documentation shall include the following:
The organization must determine an acceptable level for risks. The level is calculated based on the likelihood, impact and control of the risks.