SoA Template (ISM to ISO Map) - September 2022
Details
The Statement of Applicability (SoA) contains all controls that have been considered for inclusion in the Information Security Management System (ISMS). It serves to link risks to treatments and acts as an ongoing management tool that enables the status of controls to be tracked.
Annex A of the ISO27001:2013 standard contains a comprehensive list of controls, but the standard also allows organisations to design their own controls, or identify them from another source. This template includes all Annex A controls.
Right Fit For Risk (RFFR) requires organisations to address controls sourced from the Australian Government Information Security Manual (ISM). The ISM is produced by the Australian Cyber Security Centre (ACSC) and contains prescriptive controls to secure government information of each classification. This template includes all ISM controls that are relevant for OFFICIAL information, mapped to the Annex A control objectives. Some of these controls are not typically applicable to non-government organisations. These have been separated out with a potential justification for their exclusion.
Information that is handled in the course of delivering deed-related services is considered OFFICIAL, and any personal or sensitive information is considered OFFICIAL: Sensitive. Therefore, all controls in this template must be addressed by following the steps below.
How to Complete:
Step 1 | Ensure you have defined the 'physical boundaries' and 'logical boundaries' of your ISMS in your Scope document. Consider your critical data assets and systems within the defined boundaries while addressing the controls. |
Step 2 | Ensure the SoA template is no older than 3 months. Obtain the latest SoA template from the department's website (see link above). Obtain the ISM document from ACSC website (see link above) and consult the additional guidance in the ACSC website as you progress. |
Step 3 | For each control, determine if it is applicable to your organisation. If the control is not applicable, select 'Not applicable' and state a justification that explains why the control is not applicable. For example, if the related type of system is not used within your organisation, it is not applicable. Ensure you follow the definitions and guidance published by the ACSC. Note that all controls in this template are relevant to the sensitivity of program-related information. Controls should not be marked 'Not applicable' based only on an internal risk assessment, as the SoA must provide an accurate picture of the residual risks facing the department. |
Step 4 | Review the controls in the 'Potentially excluded controls' worksheet and confirm that the justifications are valid for your organisation. If any of these controls should be applicable, move them back to the main worksheet. |
Step 5 | For each applicable control, select the 'Current implementation status' via the dropdown list (see definitions below). |
Step 6 | Describe the 'Implementation details'. Note that some controls are relevant to multiple assets that may be within your scope, so ensure that every relevant asset is explicitly addressed. For example, for policy-based controls you should reference the policy document; for technical controls, you should briefly describe how the control has been implemented, and to which systems it is implemented. |
Step 7 | For each applicable control that is 'Partially implemented' or 'Not implemented', briefly describe the implementation plan, state the responsible person, and state the estimated completion date. Fully implemented controls do not require ongoing plans. |
Step 8 | Review and update your SoA between RFFR Milestones and during your Accreditation Maintenance period. The SoA should be regularly revised to demonstrate consideration of new or changed ISM controls, and the effectiveness of the implementations should be monitored and improved. |
More Information
Jurisdiction | Australia |
---|---|
Type | Laws or related obligations |