This template was created by the people of ICT Institute

You can find the latest version and other templates here:
https://ictinstitute.nl/free-templates/

You can use this template freely under the Create Commons Attribution license
https://creativecommons.org/licenses/by/4.0/

You can do the following with the templates:

Share. You can share the templates and any documents made with these templates freely, with any one
Adapt. You can make new documents based on the templates, make changes, add elements or delete e

If you are a customer, you do not have to mention ICT Institute anywhere
If you are not a customer, you must keep the text "create by the people of ICT Institute" somewhere

Note that the use of these templates is of course at your own risk.
Note also that the ISO standards are copyrighted. You must buy the standard from NEN or ISO before us

Read also:
https://ictinstitute.nl/iso-27001-and-nen7510-support/
https://ictinstitute.nl/iso27002-explained-part-1/
https://ictinstitute.nl/iso27002-2022-explained-1/
mplates freely, with any one that you want to share it with.
es, add elements or delete elements as much as you want. You can even do this in commercial organisations of for commercial

CT Institute" somewhere

d from NEN or ISO before using it

nisations of for commercial purposes.
Statement of Applicability ISO 27001:2022
Organisation:
Version: 10/1/2022
Approval statusTo be approved in management review

Nr. Chapter Topic

5.1 Organizational controls Policies for information security

5.2 Organizational controls Information security roles and responsibilities

5.3 Organizational controls Segregation Of duties

5.4 Organizational controls Management responsibilities

5.5 Organizational controls Contact with authorities

5.6 Organizational controls Contact with special interest groups

5.7 Organizational controls Threat intelligence

5.8 Organizational controls Information security in project management

5.9 Organizational controls Inventory of information and other associated assets

Acceptable use of information and other associated

5.10 Organizational controls
assets

5.11 Organizational controls Return of assets

5.12 Organizational controls Classification of information

5.13 Organizational controls Labelling of information

5.14 Organizational controls Information transfer

5.15 Organizational controls Access control

5.16 Organizational controls Identity management

5.17 Organizational controls Authentication information

5.18 Organizational controls Access rights

5.19 Organizational controls Information security in supplier relationships

Addressing information security within supplier

5.20 Organizational controls
agreements
Managing information security in the information and
5.21 Organizational controls
communication technology (ICT) supply chain
Monitoring, review and change management of
5.22 Organizational controls
supplier services

5.23 Organizational controls Information security for use of cloud services

Information security incident management planning

5.24 Organizational controls
and preparation

Assessment and decision on information security

5.25 Organizational controls
events

Nr, Organizational controls Response to information security incidents

5.27 Organizational controls Learning from information security incidents

5.28 Organizational controls Collection of evidence

5.29 Organizational controls Information security during disruption

5.30 Organizational controls ICT readiness for business continuity

Legal, statutory, regulatory and contractual

5.31 Organizational controls
requirements

5.32 Organizational controls Intellectual property rights

5.33 Organizational controls Protection of records

Privacy and protection of personal identifiable

5.34 Organizational controls
information (PII)

5.35 Organizational controls Independent review of information security

Compliance with policies, rules and standards for

### Organizational controls
information security

### Organizational controls Documented operating procedures

6.1 People controls Screening

6.2 People controls Terms and conditions of employment

6.3 People controls Information security awareness, education and training

6.4 People controls Disciplinary process

Responsibilities after termination or change of

6.5 People controls
employment

6.6 People controls Confidentiality or non-disclosure agreements

6.7 People controls Remote working

6.8 People controls Information security event reporting

7.1 Physical controls Physical security perimeters

7.2 Physical controls Physical entry

7.3 Physical controls Securing offices, rooms and facilities
7.4 Physical controls Physical security monitoring
7.5 Physical controls Protecting against physical and environmental threats.

7.6 Physical controls Working in secure areas

7.7 Physical controls Clear desk and clear screen

7.8 Physical controls Equipment siting and protection

7.9 Physical controls Security of assets off-premises

7.10 Physical controls Storage media

7.11 Physical controls Supporting utilities

7.12 Physical controls Cabling security

7.13 Physical controls Equipment maintenance

7.14 Physical controls Secure disposal or re-use of equipment

8.1 Technological controls User endpoint devices

8.2 Technological controls Privileged access rights

8.3 Technological controls Information access restriction

8.4 Technological controls Access to source code

8.5 Technological controls Secure authentication

8.6 Technological controls Capacity management

8.7 Technological controls Protection against malware

8.8 Technological controls Management of technical vulnerabilities

8.9 Technological controls Configuration management

8.10 Technological controls Information deletion

8.11 Technological controls Data masking

8.12 Technological controls Data leakage prevention

8.13 Technological controls Information backup

8.14 Technological controls Redundancy of information processing facilities

8.15 Technological controls Logging

8.16 Technological controls Monitoring activities.

8.17 Technological controls Clock synchronization

8.18 Technological controls Use of privileged utility programs

8.19 Technological controls Installation of software on operational systems

8.20 Technological controls Networks security

8.21 Technological controls Security of network services

8.22 Technological controls Segregation in networks

8.23 Technological controls Web filtering

8.24 Technological controls Use of cryptography

8.25 Technological controls Secure development lifecycle

8.26 Technological controls Application security requirements

8.27 Technological controls Secure system architecture and engineering principles

8.28 Technological controls Secure coding

8.29 Technological controls Security testing in development and acceptance

8.30 Technological controls Outsourced development

 Separation of development, test and production
8.31 Technological controls
environments

8.32 Technological controls Change management

8.33 Technological controls Test information

8.34 Technological controls Protection of information systems during audit testing

Template by ICT Institute

Applicable to our
Control
organisation
(Yes/No)
Information security policy and topic-specific policies shall be defined, approved by
management, published, communicated to and acknowledged by relevant personnel
and relevant interested parties, and reviewed at planned intervals and if significant
changes occur.

Information security roles §and responsibilities shall be defined and allocated

according to the organization needs.
Conflicting duties and conflicting areas of responsibility shall be segregated.
Management shall require all personnel to apply information security in accordance
with the established information security policy, topic-specific policies and procedures
of the organization.

The organization shall establish and maintain contact with relevant authorities.

The organization shall establish and maintain contact with special interest groups or
other specialist security forums and professional associations.

Information relating to information security threats shall be collected and analysed to

produce threat intelligence.

Information security shall be integrated into project management.

An inventory of information and other associated assets, including owners, shall be

developed and maintained.
Rules for the acceptable use and procedures for handling information and other
associated assets shall be identified, documented and implemented.

Personnel and other interested parties as appropriate shall return all the organization’s
assets in their possession upon change or termination of their employment, contract
or agreement.

Information shall be classified according to the information security needs of the

organization based on confidentiality, integrity, availability and relevant interested
party requirements.

An appropriate set of procedures for information labelling shall be developed and

implemented in accordance with the information classification scheme adopted by the
organization.
Information transfer rules, procedures, or agreements shall be in place for all types of
transfer facilities within the organization and between the organization and other
parties.
Rules to control physical and logical access to information and other associated assets
shall be established and implemented based on business and information security
requirements.
The full life cycle of identities shall be managed.
Allocation and management of authentication information shall be controlled by a
management process, including advising personnel on appropriate handling of
authentication information.

Access rights to information and other associated assets shall be provisioned,

reviewed, modified and removed in accordance with the organization’s topic-specific
policy on and rules for access control.

Processes and procedures shall be defined and implemented to manage the

information security risks associated with the use of supplier’s products or services.
Relevant information security requirements shall be established and agreed with each
supplier based on the type of supplier relationship.
Processes and procedures shall be defined and implemented to manage the
information security risks associated with the ICT products and services supply chain.
The organization shall regularly monitor, review, evaluate and manage change in
supplier information security practices and service delivery.
Processes for acquisition, use, management and exit from cloud services shall be
established in accordance with the organization’s information security requirements.

The organization shall plan and prepare for managing information security incidents by
defining, establishing and communicating information security incident management
processes, roles and responsibilities.

The organization shall assess information security events and decide if they are to be
categorized as information security incidents.
Information security incidents shall be responded to in accordance with the
documented procedures.
Knowledge gained from information security incidents shall be used to strengthen and
improve the information security controls.

The organization shall establish and implement procedures for the identification,
collection, acquisition and preservation of evidence related to information security
events.

The organization shall plan how to maintain information security at an appropriate

level during disruption.
ICT readiness shall be planned, implemented, maintained and tested based on
business continuity objectives and ICT continuity requirements.

Legal, statutory, regulatory and contractual requirements relevant to information

security and the organization’s approach to meet these requirements shall be
identified, documented and kept up to date.

The organization shall implement appropriate procedures to protect intellectual

property rights.
Records shall be protected from loss, destruction, falsification, unauthorized access
and unauthorized release.

The organization shall identify and meet the requirements regarding the preservation
of privacy and protection of PII according to applicable laws and regulations and
contractual requirements.

The organization’s approach to managing information security and its implementation

including people, processes and technologies shall be reviewed independently at
planned intervals, or when significant changes occur.

Compliance with the organization’s information security policy, topic-specific policies,

rules and standards shall be regularly reviewed.

Operating procedures for information processing facilities shall be documented and

made available to personnel who need them.

Background verification checks on all candidates to become personnel shall be carried

out prior to joining the organization and on an ongoing basis taking into consideration
applicable laws, regulations and ethics and be proportional to the business
requirements, the classification of the information to be accessed and the perceived
risks.
The employment contractual agreements shall state the personnel’s and the
organization’s responsibilities for information security.

Personnel of the organization and relevant interested parties shall receive appropriate
information security awareness, education and training and regular updates of the
organization's information security policy, topic-specific policies and procedures, as
relevant for their job function.

A disciplinary process shall be formalized and communicated to take actions against

personnel and other relevant interested parties who have committed an information
security policy violation.

Information security responsibilities and duties that remain valid after termination or
change of employment shall be defined, enforced and communicated to relevant
personnel and other interested parties.

Confidentiality or non-disclosure agreements reflecting the organization’s needs for

the protection of information shall be identified, documented, regularly reviewed and
signed by personnel and other relevant interested parties.

Security measures shall be implemented when personnel are working remotely to

protect information accessed, processed or stored outside the organization’s premises.
The organization shall provide a mechanism for personnel to report observed or
suspected information security events through appropriate channels in a timely
manner.
Security perimeters shall be defined and used to protect areas that contain
information and other associated assets.
Secure areas shall be protected by appropriate entry controls and access points.
Physical security for offices, rooms and facilities shall be designed and implemented.
Premises shall be continuously monitored for unauthorized physical access.
Protection against physical and environmental threats, such as natural disasters and
other intentional or unintentional physical threats to infrastructure shall be designed
and implemented.
Security measures for working in secure areas shall be designed and implemented.
Clear desk rules for papers and removable storage media and clear screen rules for
information processing facilities shall be defined and appropriately enforced.
Equipment shall be sited securely and protected.
Off-site assets shall be protected.
Storage media shall be managed through their life cycle of acquisition, use,
transportation and disposal in accordance with the organization’s classification scheme
and handling requirements.

Information processing facilities shall be protected from power failures and other
disruptions caused by failures in supporting utilities.
Cables carrying power, data or supporting information services shall be protected from
interception, interference or damage.
Equipment shall be maintained correctly to ensure availability, integrity and
confidentiality of information.

Items of equipment containing storage media shall be verified to ensure that any
sensitive data and licensed software has been removed or securely overwritten prior
to disposal or re-use.

Information stored on, processed by or accessible via user end point devices shall be
protected.
The allocation and use of privileged access rights shall be restricted and managed.
Access to information and other associated assets shall be restricted in accordance
with the established topic-specific policy on access control.
Read and write access to source code, development tools and software libraries shall
be appropriately managed.
Secure authentication technologies and procedures shall be implemented based on
information access restrictions and the topic-specific policy on access control.
The use of resources shall be monitored and adjusted in line with current and
expected capacity requirements.

Protection against malware shall be implemented and supported by appropriate user

awareness.

Information about technical vulnerabilities of information systems in use shall be

obtained, the organization’s exposure to such vulnerabilities shall be evaluated and
appropriate measures shall be taken.

Configurations, including security configurations, of hardware, software, services and

networks shall be established, documented, implemented, monitored and reviewed.
Information stored in information systems, devices or in any other storage media shall
be deleted when no longer required.
Data masking shall be used in accordance with the organization’s topic-specific policy
on access control and other related topic-specific policies, and business requirements,
taking applicable legislation into consideration.

Data leakage prevention measures shall be applied to systems, networks and any
other devices that process, store or transmit sensitive information.
Backup copies of information, software and systems shall be maintained and regularly
tested in accordance with the agreed topic-specific policy on backup.
Information processing facilities shall be implemented with redundancy sufficient to
meet availability requirements.
Logs that record activities, exceptions, faults and other relevant events shall be
produced, stored, protected and analysed.
Networks, systems and applications shall be monitored for anomalous behaviour and
appropriate actions taken to evaluate potential information security incidents.
The clocks of information processing systems used by the organization shall be
synchronized to approved time sources.
The use of utility programs that can be capable of overriding system and application
controls shall be restricted and tightly controlled.
Procedures and measures shall be implemented to securely manage software
installation on operational systems.
Networks and network devices shall be secured, managed and controlled to protect
information in systems and applications.
Security mechanisms, service levels and service requirements of network services shall
be identified, implemented and monitored.
Groups of information services, users and information systems shall be segregated in
the organization’s networks.
Access to external websites shall be managed to reduce exposure to malicious
content.
Rules for the effective use of cryptography, including cryptographic key management,
shall be defined and implemented.
Rules for the secure development of software and systems shall be established and
applied.
Information security requirements shall be identified, specified and approved when
developing or acquiring applications.
Principles for engineering secure systems shall be established, documented,
maintained and applied to any information system development activities.

Secure coding principles shall be applied to software development.

Security testing processes shall be defined and implemented in the development life
cycle.

The organization shall direct, monitor and review the activities related to outsourced
system development.
Development, testing and production environments shall be separated and secured.

Changes to information processing facilities and information systems shall be subject

to change management procedures.
Test information shall be appropriately selected, protected and managed.
Audit tests and other assurance activities involving assessment of operational systems
shall be planned and agreed between the tester and appropriate management.
 For internal use (don’t share)
Justification for Motivation for non- Implemented in How and where Control
inclusion applicability our organisation implemented owner
(Yes/No)
 For internal use (do not print this part for your official statement of applicability)

InfoSec properties
CyberSec
Control type Confidentiality Integrity Availability
concepts

Preventive X X X Identify

Preventive X X X Identify

Preventive X X X Protect

Preventive X X X Identify

Preventive Protect
Corrective X X X Respond
Recover

Preventive Protect
Corrective X X X Respond
Recover

Preventive Identify
Detective X X X Detect

Identify
Preventive X X X Protect

Preventive X X X Identify

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Identify

Preventive X X X Protect
Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Identify

Preventive X X X Identify

Identify
Preventive X X X Protect

Preventive X X X Identify

Preventive X X X Protect

Respond
Corrective X X X Recover

Detective X X X Detect Respond

Respond
Corrective X X X Recover

Protect
Preventive X X X Identify

Detective
Corrective X X X Detect Respond

Preventive X X X Protect

Protective
Corrective X Protect Respond

Preventive X X X Identify

Preventive X X X Identify
 Identify
Preventive X X X Protect

Identify
Preventive X X X Protect

Preventive
Corrective X X X Identify

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive
Corrective X X X Protect Respond

Preventive X X X Protect

Preventive X Protect

Preventive X X X Protect

Detective X X X Detect

Preventive X X X Protect

Preventive X X X Protect
Preventive X X X Protect
Detective X X X Detect
Preventive X X X Protect

Preventive X X X Protect

Preventive X Protect

Preventive X X X Protect
Preventive X X X Protect

Preventive X X X Protect

Preventive
Detective X Protect Detect

Preventive X X Protect

Preventive X X X Protect

Preventive X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive Identify Protect

Detective X Detect

Preventive
Detective X X X Protect Detect
Corrective

Preventive X X X Protect

Preventive X X X Protect

Preventive X Protect
Preventive X Protect

Preventive
Detective X Protect Detect

Corrective X X Recover

Preventive X Protect

Detective X X X Detect

Detective
Corrective X X X Detect Respond

Detective X Protect Detect

Preventive X X X Protect

Preventive X X X Protect

Preventive
Detective X X X Protect Detect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Protect

Preventive X X X Detect

Preventive Identify Protect

Detective X X X Detect
Preventive X X X Protect

Preventive X X X Protect

Preventive X X Protect

Preventive X X Protect
art for your official statement of applicability)

Security domains
Governance and
Operational capabilities Ecosystem
Protection Defence Resilience

Governance X X

Governance X X X

Governance X

Governance X

Governance X X

Governance X

Threat_and_ vulnerability_ management X X

Governance X X

Asset_management X X

Asset_management Information_ protection X X

Asset_management X

Information_ protection X X

Information_ protection X
Asset_management Information_ protection X

Identity_ and_access_ management X

Identity_ and_access_ management X

Identity_ and_access_ management X X

Identity_ and_access_ management X

Supplier_relationships_ security X X

Supplier_relationships_ security X X

Supplier_relationships_ security X X

Supplier_relationships_ security X X X

Supplier_relationships_ security X X

Information_security_event_management X

Information_security_event_management X

Information_security_event_management X

Information_security_event_management X

Information_security_event_management X

Continuity X X

Continuity X X

Legal_and_ compliance X X

Legal_and_ compliance X
Legal_and_ compliance Asset_management
Information_ protection X

Information_ protection Legal_and_

compliance X

Information_security_assurance X

Legal_and_ compliance X

Continuity Asset_management
Physical_security X X X
System_and_network_security

Human_resource_security X

Human_resource_security X

Human_resource_security X

Human_resource_security X

Human_resource_security
Asset_management X

Human_resource_security
Information_protection Supplier X
relationships

Asset_management System_and_
network_security Physical_security X X

Information_security_event_management X

Physical_security X

Physical_security X
Physical_security Asset_ management X
Physical_security X
Physical_security X

Physical_security X

Physical_security X

Physical_security Asset_ management X

Physical_security Asset_ management X

Physical_security Asset_ management X

Physical_security X

Physical_security X

Physical_security Asset_ management X X

Physical_security Asset_ management X

Asset_management Information_ protection X

Identity_ and_access_ management X

Identity_ and_access_ management X

Identity_ and_access_ management

Application_ security X

Identity_ and_access_ management X

Continuity X X

System_and_network_security X X

Threat_and_ vulnerability_ management X X X

Secure_configuration X X

Information_ protection X
Information_ protection X

Information_ protection X X

Continuity X

Continuity Asset_management X X

Information_security_event_management X X

Information_security_event_management X

Information_security_event_management X X

System_and_ network_security Secure_

configuration X

Secure_configuration X

System_and_network_security X

System_and_network_security X

System_and_network_security X

System_and_network_security X

Secure_configuration X

Application_security
System_and_network_security X

Application_security
System_and_network_security X X

Application_security
System_and_network_security X

Application_security
System_and_network_security X

Application_security
Information_security_assurance X
System_and_network_security

System_and_ network_security
Application_security Supplier_relationships_ X X
security
Application_security
System_and_network_security X

Application_security
System_and_network_security X

Information_ protection X
System_and_ network_security
Information_protection X X
The SoA is a mandatory ISO27001 document
It contains the set measures from ISO27001:2022's appendix (A5-A8)
The measures are explained in more detail in ISO27002
Further information can be found here:

ICT Institute | ISO27002:2022 explained – Organizational controls

ICT Institute | ISO27002:2022 explained – People controls
ICT Institute | ISO27002:2022 explained – Physical controls
ICT Institute | ISO27002:2022 explained – Technological controls

Per control, you should do the following:

Indicate whether it applies to your organization

Give a justification for inclusion. This can be:
Regulatory Compliance This is mandatory by some applicable law
Contractual compliance You have agreed with a customer or partner to do this
Best practice You do it since you think it is useful and others do it as well
Risk analysis You do it based on a risk from your risk analysis

You should, therefore, first do a risk analysis

and analyse regulatory and contractual requirements before establishing the SoA

If you deem the controls not to apply to your organization, indicate why not (free text)
Next, for the controls that do apply, indicate whether they are actually implemented

The first columns are a mandatory part of the SoA, and should be send to other parties when the SoA is requ

The final three columns contain internal (confidential) information, and may, therefore, not be shared with
How and where the control is implemented
Which organizational role the control owner (responsible person) is
Whether there is a regular check on the contol. Regular checks and evaluations are mandator

6.1.3 Information security risk treatment

The organization shall define and apply an information security risk treatment process to:

a) select appropriate information security risk treatment options, taking account of the risk assessment resu

b) determine all controls that are necessary to implement the information security risk treatment option(s)
NOTE 1 Organizations can design controls as required, or identify them from any source.

c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary co
NOTE 2 Annex A contains a list of possible information security controls. Users of this document are directed
NOTE 3 The information security controls listed in Annex A are not exhaustive and additional information sec

d) produce a Statement of Applicability that contains:

— the necessary controls (see 6.1.3 b) and c));
— justification for their inclusion;
— whether the necessary controls are implemented or not; and
— the justification for excluding any of the Annex A controls.

e) formulate an information security risk treatment plan; and

f) obtain risk owners’ approval of the information security risk treatment plan and acceptance of the residua

The organization shall retain documented information about the information security risk treatment proces
NOTE 4 The information security risk assessment and treatment process in this document aligns with the pri
 Value legend:
Yes
No
?
Regulatory compliance
Contractual compliance
Best practice
Risk Analysis

er or partner to do this
eful and others do it as well
our risk analysis

t (free text)

ther parties when the SoA is requested.

y, therefore, not be shared with outsiders:

ks and evaluations are mandatory in an ISO27001 compliant ISMS.

ent process to:

count of the risk assessment results;

security risk treatment option(s) chosen;

m any source.

A and verify that no necessary controls have been omitted;

ers of this document are directed to Annex A to ensure that no necessary information security controls are overlooked.
ve and additional information security controls can be included if needed.
an and acceptance of the residual information security risks.

on security risk treatment process.

his document aligns with the principles and generic guidelines provided in ISO 31000[5].
are overlooked.