73 lines
2.4 KiB
Markdown
73 lines
2.4 KiB
Markdown
Title: Statement of Applicability Template
|
|
Document ID: [GOV-SOA-001]
|
|
Version: 0.1 Draft
|
|
Status: Draft
|
|
Owner: CISO (Paul Jenkins)
|
|
Approver: CEO (Paul Hague)
|
|
Classification: Internal
|
|
Effective date: [DD Month YYYY]
|
|
Review date: [DD Month YYYY]
|
|
|
|
# Statement of Applicability Template
|
|
|
|
## Purpose
|
|
|
|
This template provides the structure for recording which information security controls are applicable to BlackDice's ISMS, why they are included or excluded, and how they are implemented.
|
|
|
|
## Scope
|
|
|
|
This template applies to the controls selected for the ISMS and should cover the approved control framework used by BlackDice for ISO/IEC 27001:2022 alignment.
|
|
|
|
## Data Fields / Expected Columns
|
|
|
|
The Statement of Applicability should record at least the following fields:
|
|
|
|
- control reference
|
|
- control title
|
|
- applicability status
|
|
- justification for inclusion or exclusion
|
|
- implementation summary
|
|
- related document or evidence reference
|
|
- control owner
|
|
- review date
|
|
|
|
## Ownership
|
|
|
|
This document should be owned by [Role]. Control owners must provide implementation detail for controls within their responsibility. Changes should be reviewed as part of risk treatment, audit, and management review activity.
|
|
|
|
## Update Frequency
|
|
|
|
The Statement of Applicability should be updated when:
|
|
|
|
- the control framework changes
|
|
- risks materially change
|
|
- new systems, services, or suppliers alter the control environment
|
|
- control implementation status changes
|
|
- audit or review identifies a required update
|
|
|
|
At minimum, it should be reviewed annually.
|
|
|
|
## Retention
|
|
|
|
Superseded versions should be retained in line with BlackDice's document and records retention requirements.
|
|
|
|
## Template Table
|
|
|
|
| Control Reference | Control Title | Applicable (Yes/No) | Justification | Implementation Summary | Related Document / Evidence | Control Owner | Review Date |
|
|
| --- | --- | --- | --- | --- | --- | --- | --- |
|
|
| [A.5.x] | [Control title] | [Yes/No] | [Reason] | [How implemented or planned] | [Document ID / record] | [Role] | [DD Month YYYY] |
|
|
|
|
## Completion Notes
|
|
|
|
- Exclusions must be explicitly justified.
|
|
- Implementation summaries should be factual and concise.
|
|
- References should point to policies, standards, procedures, or records rather than unsupported statements.
|
|
- Draft entries may identify planned implementation where controls are not yet fully established.
|
|
|
|
## Related Documents
|
|
|
|
- ISMS Scope Statement
|
|
- ISMS Manual
|
|
- Information Security Policy
|
|
- Risk Assessment and Treatment Methodology
|