psjenkins/ISMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
draft
ISMS/00-governance/statement-of-applicability-template.md
Paul Jenkins 5eade2d99b Initial commit
2026-03-26 09:35:22 +00:00

2.4 KiB
Raw Permalink Blame History

Title: Statement of Applicability Template Document ID: [GOV-SOA-001] Version: 0.1 Draft Status: Draft Owner: CISO (Paul Jenkins) Approver: CEO (Paul Hague) Classification: Internal Effective date: [DD Month YYYY] Review date: [DD Month YYYY]

Statement of Applicability Template

Purpose

This template provides the structure for recording which information security controls are applicable to BlackDice's ISMS, why they are included or excluded, and how they are implemented.

Scope

This template applies to the controls selected for the ISMS and should cover the approved control framework used by BlackDice for ISO/IEC 27001:2022 alignment.

Data Fields / Expected Columns

The Statement of Applicability should record at least the following fields:

  • control reference
  • control title
  • applicability status
  • justification for inclusion or exclusion
  • implementation summary
  • related document or evidence reference
  • control owner
  • review date

Ownership

This document should be owned by [Role]. Control owners must provide implementation detail for controls within their responsibility. Changes should be reviewed as part of risk treatment, audit, and management review activity.

Update Frequency

The Statement of Applicability should be updated when:

  • the control framework changes
  • risks materially change
  • new systems, services, or suppliers alter the control environment
  • control implementation status changes
  • audit or review identifies a required update

At minimum, it should be reviewed annually.

Retention

Superseded versions should be retained in line with BlackDice's document and records retention requirements.

Template Table

Control Reference Control Title Applicable (Yes/No) Justification Implementation Summary Related Document / Evidence Control Owner Review Date
[A.5.x] [Control title] [Yes/No] [Reason] [How implemented or planned] [Document ID / record] [Role] [DD Month YYYY]

Completion Notes

  • Exclusions must be explicitly justified.
  • Implementation summaries should be factual and concise.
  • References should point to policies, standards, procedures, or records rather than unsupported statements.
  • Draft entries may identify planned implementation where controls are not yet fully established.

Related Documents

  • ISMS Scope Statement
  • ISMS Manual
  • Information Security Policy
  • Risk Assessment and Treatment Methodology
Reference in New Issue View Git Blame Copy Permalink