Annex A controls are critical to the ISO 27001 audit process. They’re also the focus of the Statement of Applicability (SoA), one of the most important documents an organization needs to submit to its auditor. Here are some key points to know about Annex A controls:
- There are 93 security controls: These controls can be physical (i.e., locks, gates), technical (i.e., firewalls, encryption), or administrative (i.e., employee security training or off-boarding processes).
- Controls are grouped into four domains: Each domain covers specific aspects of the organization’s security, has specific objectives, and contains several controls to satisfy these objectives.
You must include all 93 controls in your SoA. For each control, you need to provide a statement explaining how the company has implemented the control, as well as justifications for why it does or doesn’t apply to your operations.
How to create an audit-ready SoA
SoA documents are central to the audit process. Your auditor will use it to evaluate the state of your information security processes, tools, and technologies.
What does an audit-ready SoA look like? Here are five important considerations:
1. Format: If you are using a compliance management platform, SoA materials will be collected inside the platform and accessed by your auditor when the work is complete. If you’re not using a compliance management platform, SoA materials will usually be submitted in an Excel file, together with any supporting documents.
2. Content: An SoA must include a policy statement defining your security approach to each of the 14 domains or business areas. You also need to identify which specific controls apply to your organization and include your justification for that decision.
3. Proof: You organization will be asked to provide evidence showing how you support major aspects of security within your organization for every applicable control. Proof may include policy documents, records, or direct access to the tools and technologies that reinforce security.
Documentation of proof doesn’t need to be exhaustive, but it should be a representative sample that shows your auditor how the control functions in an organization. For example, for the screening control in Annex A.7: Human Resource Security, a company could share:
- A few job descriptions that show formal, detailed descriptions
- A policy document that outlines the process for communicating job requirements to new employees
- A sample written acknowledgment each employee signs to confirm they have received and understood the information
No matter what documentation you provide, remember to redact or omit confidential information and personal identification data before submission to your auditor.
4. Versioning: The audit documents submitted by your organization should include some form of numbering or versioning control. When the auditor issues your ISO 27001 certificate, that certification is tied to a specific version of the documents you submitted. This version becomes the point of reference for any future audits.
5. Quality assurance: The SoA and supporting documents must include a record of who reviewed the information and when it was reviewed. This further proves to your auditor its authenticity as an internal quality management process.
Advantages of using a platform to collect Annex A controls
While a compliance management platform isn’t mandatory, it’s often preferred over a spreadsheet when it comes to creating an SoA. Below are some of the top advantages of a technology-supported audit process:
1. Version control: Spreadsheets don’t lend themselves well to versioning, and the versioning process can quickly spin out of control as multiple people across the organization contribute.
On the other hand, a software platform will automatically create new versions as files move from one person to the other and record the chain of custody. Because versioning is such a critical part of the process, the ability to track and control versioning plays a big role in ensuring compliance success.
2. Audit preparation: A compliance platform is specially built to prepare your organization for its audit certification process. Instead of having to develop policy language, domain policies, control justification, and implementation statements from scratch, you can customize the best-practice content already provided in the platform.
Dedicated software also eliminates much of the manual work in future audits by automatically organizing all the information needed by your auditor in a way that’s easy to update, share, and review.
3. Automated reminders: A platform keeps the audit process on track thanks to automated reminders and alerts regarding any risks identified during the project scoping process.
4. Evidence-gathering: Collecting the right evidence to prove each control in your operations is time-consuming. A compliance platform can help automate these routine tasks. For instance, instead of emailing each piece of evidence to your auditor, you can attach them directly to the appropriate control.
These controls, in turn, link to specific risks identified during the ISO 27001 scoping process. This creates a network of interrelated elements that are much easier to navigate during the entire audit process.
Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.
