Using the Statement of Applicability (SOA) report.
Select the Reporting & Analytics button in the top menu bar.
.You will see the Reporting & Analytics menu.
Select Assessments and Statement of Applicability for the type of report.
Populate the Filters as follows to fill the SOA with data.
- Authorities – Select the standard, law, or regulation for which you wish to produce a Statement of Applicability. Most often this will ISO/IEC 27001:2013 Annex. However, it could be the Information Security Manual or any other Authority Document.
- Assessment Template –Select the Assessment Template you’ve used to carry out an Assessment against the Authority. Most often this will be ISO/IEC 27001:2013 Annex A Question Set. It also could be any other Assessment mapped to the Authority Document.
- Template Version –Select the Template Version. Most often this will be v1.
- Assessment – Select the specific Assessment you’ve used to carry out the assessment against the Authority. This is the Assessment from where the Implementation Status details will be drawn and must align with the selected Assessment Template.
- Assessment Result Version – Select the Assume Result Version. Most often this will be v1. However, if you update the SOA by reopening the Assessment, you can select the most recent version.
Let’s explore the report in detail.
The first few columns are populated based on the selected Authority.
The Applicability, Selection/Exclusion Reason, and Risk Reference columns are populated based on the links each requirement (provision) has with Risks on the Risk Register are representative of the justification for inclusion (otherwise the exclusion reason comes from the Assessment Results).
The Responsibilities and Associated Control Sets columns are populated based on the links each requirement (provision) has with Control Sets in Internal Controls and are representative of the applicable Policy Owners and Policies (and standards and procedures).
The Implementation Details column is populated based on Explanations in the selected Assessment. However, if the requirement/control is not on the Risk Register and is therefore Not Applicable, the Explanation from the Assessment is applied as the Exclusion Reason.