Initial commit
This commit is contained in:
Paul Jenkins
72
00-governance/statement-of-applicability-template.md
Normal file
72
00-governance/statement-of-applicability-template.md
Normal file
@@ -0,0 +1,72 @@
|
||||
Title: Statement of Applicability Template
|
||||
Document ID: [GOV-SOA-001]
|
||||
Version: 0.1 Draft
|
||||
Status: Draft
|
||||
Owner: CISO (Paul Jenkins)
|
||||
Approver: CEO (Paul Hague)
|
||||
Classification: Internal
|
||||
Effective date: [DD Month YYYY]
|
||||
Review date: [DD Month YYYY]
|
||||
|
||||
# Statement of Applicability Template
|
||||
|
||||
## Purpose
|
||||
|
||||
This template provides the structure for recording which information security controls are applicable to BlackDice's ISMS, why they are included or excluded, and how they are implemented.
|
||||
|
||||
## Scope
|
||||
|
||||
This template applies to the controls selected for the ISMS and should cover the approved control framework used by BlackDice for ISO/IEC 27001:2022 alignment.
|
||||
|
||||
## Data Fields / Expected Columns
|
||||
|
||||
The Statement of Applicability should record at least the following fields:
|
||||
|
||||
- control reference
|
||||
- control title
|
||||
- applicability status
|
||||
- justification for inclusion or exclusion
|
||||
- implementation summary
|
||||
- related document or evidence reference
|
||||
- control owner
|
||||
- review date
|
||||
|
||||
## Ownership
|
||||
|
||||
This document should be owned by [Role]. Control owners must provide implementation detail for controls within their responsibility. Changes should be reviewed as part of risk treatment, audit, and management review activity.
|
||||
|
||||
## Update Frequency
|
||||
|
||||
The Statement of Applicability should be updated when:
|
||||
|
||||
- the control framework changes
|
||||
- risks materially change
|
||||
- new systems, services, or suppliers alter the control environment
|
||||
- control implementation status changes
|
||||
- audit or review identifies a required update
|
||||
|
||||
At minimum, it should be reviewed annually.
|
||||
|
||||
## Retention
|
||||
|
||||
Superseded versions should be retained in line with BlackDice's document and records retention requirements.
|
||||
|
||||
## Template Table
|
||||
|
||||
| Control Reference | Control Title | Applicable (Yes/No) | Justification | Implementation Summary | Related Document / Evidence | Control Owner | Review Date |
|
||||
| --- | --- | --- | --- | --- | --- | --- | --- |
|
||||
| [A.5.x] | [Control title] | [Yes/No] | [Reason] | [How implemented or planned] | [Document ID / record] | [Role] | [DD Month YYYY] |
|
||||
|
||||
## Completion Notes
|
||||
|
||||
- Exclusions must be explicitly justified.
|
||||
- Implementation summaries should be factual and concise.
|
||||
- References should point to policies, standards, procedures, or records rather than unsupported statements.
|
||||
- Draft entries may identify planned implementation where controls are not yet fully established.
|
||||
|
||||
## Related Documents
|
||||
|
||||
- ISMS Scope Statement
|
||||
- ISMS Manual
|
||||
- Information Security Policy
|
||||
- Risk Assessment and Treatment Methodology
|
||||
Reference in New Issue
Block a user