Document ID: ISMS-SOA-001 | Version: 1.0 | Date: March 2026 | Classification: Internal | Owner: Information Security Manager
Introduction
This Statement of Applicability (SoA) documents the applicability of all 93 controls contained in Annex A of ISO/IEC 27001:2022 to [Organisation Name]‘s ISMS. For each control, it states whether the control is applicable, provides the business justification for inclusion or exclusion, and records the current implementation status.
This SoA was derived from the results of the risk assessment (ISMS-RISK-001) and the risk treatment process (ISMS-RTP-001). It must be reviewed annually and updated whenever the risk register or scope changes materially.
Implementation Status Key:
- Implemented — Control is fully in place and effective
- Partially Implemented — Control exists but gaps remain; improvement in progress
- Planned — Control selected for implementation; not yet commenced
- Not Applicable — Control does not apply to this organisation; justification provided
Theme 5 — Organisational Controls
| Control ID | Control Name | Applicable | Justification | Implementation Status |
|---|---|---|---|---|
| 5.1 | Policies for information security | Y | Top-level and supporting policies are required by ISO 27001:2022 Clause 5.2 and provide governance framework for the ISMS | Implemented |
| 5.2 | Information security roles and responsibilities | Y | Defined roles (CISO, ISM, System Owners) are essential for accountability and ISMS operation across the organisation | Implemented |
| 5.3 | Segregation of duties | Y | The organisation handles sensitive client data and offensive security tools; segregation reduces risk of insider fraud and tool misuse | Partially Implemented |
| 5.4 | Management responsibilities | Y | Line managers are responsible for enforcing policy compliance within their teams; required for effective security culture | Implemented |
| 5.5 | Contact with authorities | Y | Required to maintain relationships with OAIC, law enforcement, and regulators for incident notification and compliance purposes | Implemented |
| 5.6 | Contact with special interest groups | Y | Threat intelligence sharing with industry groups (AISA, CISA advisories) informs the organisation’s threat landscape analysis | Implemented |
| 5.7 | Threat intelligence | Y | Organisation operates a managed SOC; proactive threat intelligence consumption is core to service delivery and internal risk management | Implemented |
| 5.8 | Information security in project management | Y | All new service launches and infrastructure changes require security review before go-live to prevent introducing new risks | Partially Implemented |
| 5.9 | Inventory of information and other associated assets | Y | Asset inventory is required for effective risk assessment and supports access control, backup, and disposal processes | Partially Implemented |
| 5.10 | Acceptable use of information and other associated assets | Y | Acceptable use rules govern how employees and contractors interact with organisational assets and client data | Implemented |
| 5.11 | Return of assets | Y | All equipment and access credentials must be returned on termination; policy and HR process required | Implemented |
| 5.12 | Classification of information | Y | Client data, financial data, and security reports require classification to drive appropriate handling and protection | Implemented |
| 5.13 | Labelling of information | Y | Physical and digital labelling ensures classification is communicated to all who handle the information | Partially Implemented |
| 5.14 | Information transfer | Y | Organisation transfers sensitive reports and data to clients; secure transfer procedures are essential | Partially Implemented |
| 5.15 | Access control | Y | Least-privilege access to client data, production systems, and offensive tooling is a core security requirement | Implemented |
| 5.16 | Identity management | Y | All users must have unique identities; shared accounts are prohibited to ensure accountability | Implemented |
| 5.17 | Authentication information | Y | Password policy, MFA requirements, and credential management are critical given the threat of phishing and credential theft | Implemented |
| 5.18 | Access rights | Y | Formal process for granting, modifying, and revoking access rights; quarterly access reviews required | Partially Implemented |
| 5.19 | Information security in supplier relationships | Y | Third-party suppliers including SIEM vendor, cloud providers, and HR SaaS have access to client or employee data | Partially Implemented |
| 5.20 | Addressing information security within supplier agreements | Y | Contractual security obligations are required for all Tier 1 and Tier 2 suppliers; current gap identified in risk register (R-012) | Partially Implemented |
| 5.21 | Managing information security in the ICT supply chain | Y | Organisation depends on cloud infrastructure and software libraries; supply chain attacks are an active threat | Partially Implemented |
| 5.22 | Monitoring, review and change management of supplier services | Y | Annual supplier security reviews and performance monitoring are required for Tier 1 suppliers per Supplier Security Policy | Partially Implemented |
| 5.23 | Information security for use of cloud services | Y | Organisation relies on AWS and Azure for SOC platform, client data processing, and collaboration tools; cloud security controls are essential | Implemented |
| 5.24 | Information security incident management planning and preparation | Y | Incident response capability is a contractual and regulatory requirement; SOC services depend on defined response procedures | Implemented |
| 5.25 | Assessment and decision on information security events | Y | Triage process to classify events as incidents is required; supports the SOC’s core function | Implemented |
| 5.26 | Response to information security incidents | Y | Defined response procedures per incident severity are documented in the Incident Response Policy | Implemented |
| 5.27 | Learning from information security incidents | Y | Post-incident reviews feed improvements into controls and procedures; required by Clause 10.1 | Implemented |
| 5.28 | Collection of evidence | Y | Forensic evidence collection is required for legal proceedings and root cause analysis; organisation handles client breach response | Partially Implemented |
| 5.29 | Information security during disruption | Y | Business continuity controls must maintain minimum security posture during disruption events | Partially Implemented |
| 5.30 | ICT readiness for business continuity | Y | IT recovery capabilities with defined RTO/RPO are required to meet client SLAs | Partially Implemented |
| 5.31 | Legal, statutory, regulatory and contractual requirements | Y | Organisation must comply with Privacy Act 1988, GDPR, and multiple client contractual security requirements | Implemented |
| 5.32 | Intellectual property rights | Y | Organisation produces security tools and reports; IP ownership and licensing controls are required | Implemented |
| 5.33 | Protection of records | Y | ISMS records, audit logs, and client data must be retained and protected per legal and contractual requirements | Implemented |
| 5.34 | Privacy and protection of PII | Y | Organisation processes client employee PII during security assessments and its own employee PII in HR systems | Implemented |
| 5.35 | Independent review of information security | Y | External certification audits and internal audits provide independent assurance; required by Clause 9.2 | Implemented |
| 5.36 | Compliance with policies, rules and standards | Y | Compliance checking against policies is conducted via internal audits and management reviews | Partially Implemented |
| 5.37 | Documented operating procedures | Y | Operational procedures for SOC, incident response, change management, and access provisioning must be documented and followed | Partially Implemented |
Theme 6 — People Controls
| Control ID | Control Name | Applicable | Justification | Implementation Status |
|---|---|---|---|---|
| 6.1 | Screening | Y | Background checks are conducted before hiring staff with access to client data or offensive tools; proportionate to risk | Implemented |
| 6.2 | Terms and conditions of employment | Y | Employment contracts include security obligations, confidentiality requirements, and acceptable use acknowledgement | Implemented |
| 6.3 | Information security awareness, education and training | Y | Annual security awareness training and role-specific training are required for all staff and contractors | Partially Implemented |
| 6.4 | Disciplinary process | Y | Formal disciplinary process for security policy violations is required to enforce accountability | Implemented |
| 6.5 | Responsibilities after termination or change of employment | Y | Confidentiality obligations and asset return requirements extend beyond employment; critical for protecting client data | Implemented |
| 6.6 | Confidentiality or non-disclosure agreements | Y | NDAs are required with clients, suppliers, and all staff with access to sensitive information | Implemented |
| 6.7 | Remote working | Y | Organisation operates a remote-first workforce; specific controls for home working and mobile working are essential | Implemented |
| 6.8 | Information security event reporting | Y | All staff must know how and where to report security events; no-blame reporting culture is actively promoted | Implemented |
Theme 7 — Physical Controls
| Control ID | Control Name | Applicable | Justification | Implementation Status |
|---|---|---|---|---|
| 7.1 | Physical security perimeters | Y | Server room and office premises require defined physical boundaries with appropriate access controls | Partially Implemented |
| 7.2 | Physical entry | Y | Badge access and visitor management controls are required for offices and restricted areas | Partially Implemented |
| 7.3 | Securing offices, rooms and facilities | Y | General office, server room, and secure storage areas each require appropriate physical security measures | Partially Implemented |
| 7.4 | Physical security monitoring | Y | CCTV and access logs are required for restricted areas; currently a gap identified in risk register (R-007) | Planned |
| 7.5 | Protecting against physical and environmental threats | Y | Server room environmental controls (temperature, fire suppression, power) are required for hardware protection | Partially Implemented |
| 7.6 | Working in secure areas | Y | Procedures for working in restricted areas (server room, lab) are required to prevent inadvertent exposure | Implemented |
| 7.7 | Clear desk and clear screen | Y | Clear desk and screen lock requirements are necessary given the sensitivity of client and security data handled | Implemented |
| 7.8 | Siting and protection of equipment | Y | Servers and workstations must be positioned and secured to reduce risks of damage or theft | Implemented |
| 7.9 | Security of assets off-premises | Y | Laptops and mobile devices used by remote staff require encryption and security controls | Implemented |
| 7.10 | Storage media | Y | Removable media containing client data or backup data requires encryption and tracking | Partially Implemented |
| 7.11 | Supporting utilities | Y | UPS and generator required for server room to protect against power outage | Partially Implemented |
| 7.12 | Cabling security | Y | Network and power cabling in server room requires labelling and physical protection | Partially Implemented |
| 7.13 | Equipment maintenance | Y | Server and network hardware requires scheduled maintenance to ensure continued availability | Implemented |
| 7.14 | Secure disposal or re-use of equipment | Y | All hardware containing data requires certified disposal; prevents data remnant exposure | Implemented |
Theme 8 — Technological Controls
| Control ID | Control Name | Applicable | Justification | Implementation Status |
|---|---|---|---|---|
| 8.1 | User endpoint devices | Y | All laptops and mobile devices require encryption, MDM enrolment, and endpoint protection | Implemented |
| 8.2 | Privileged access rights | Y | Privileged accounts for AWS, Azure, Active Directory, and SIEM require dedicated accounts, MFA, and PAM controls | Partially Implemented |
| 8.3 | Information access restriction | Y | Access to client data and sensitive systems is restricted by role and enforced via access control lists | Implemented |
| 8.4 | Access to source code | Y | Source code access is restricted to named developers; protected in private GitHub organisation | Implemented |
| 8.5 | Secure authentication | Y | MFA is mandatory for all critical systems; authentication standards are defined in the Access Control Policy | Implemented |
| 8.6 | Capacity management | Y | Cloud resource usage and storage capacity are monitored to ensure performance and availability targets are met | Partially Implemented |
| 8.7 | Protection against malware | Y | Endpoint Detection and Response (EDR) is deployed on all endpoints; email filtering and URL filtering are in place | Implemented |
| 8.8 | Management of technical vulnerabilities | Y | Vulnerability scanning and patch management with defined SLAs are required; gap identified in risk register (R-001) | Partially Implemented |
| 8.9 | Configuration management | Y | Baseline configurations for servers, endpoints, and cloud environments are documented and enforced | Partially Implemented |
| 8.10 | Information deletion | Y | Client data and employee records must be securely deleted at end of retention period or contract termination | Partially Implemented |
| 8.11 | Data masking | Y | PII and sensitive data is masked in non-production environments; test data policies are required | Planned |
| 8.12 | Data leakage prevention | Y | DLP controls are required given the volume of sensitive client data processed; currently under evaluation | Planned |
| 8.13 | Information backup | Y | Daily backups with offline copy and monthly restore testing are required; gap identified in risk register (R-010) | Partially Implemented |
| 8.14 | Redundancy of information processing facilities | Y | Tier 1 services require redundancy and failover to meet RTO/RPO commitments to clients | Partially Implemented |
| 8.15 | Logging | Y | Security event logging from all critical systems to centralised SIEM is a core control and supports incident response | Implemented |
| 8.16 | Monitoring activities | Y | 24/7 SOC monitoring of security events, alerts, and anomalies is the organisation’s core service and internal control | Implemented |
| 8.17 | Clock synchronisation | Y | All systems synchronised to NTP with authoritative time source; required for forensic log integrity | Implemented |
| 8.18 | Use of privileged utility programs | Y | Access to system utilities (e.g., raw disk access, password reset tools) is restricted to named privileged users | Implemented |
| 8.19 | Installation of software on operational systems | Y | Software installation on production systems requires change management approval; no unauthorised software permitted | Implemented |
| 8.20 | Networks security | Y | Network segmentation, firewall rules, and IDS/IPS are required to protect internal and client systems | Partially Implemented |
| 8.21 | Security of network services | Y | Security requirements for internet-facing services, VPN, and cloud connectivity are documented and enforced | Partially Implemented |
| 8.22 | Segregation of networks | Y | Lab network, corporate network, guest Wi-Fi, and cloud environments are segmented; gap noted in risk register (R-013) | Partially Implemented |
| 8.23 | Web filtering | Y | URL and content filtering is required to block access to malicious sites and enforce acceptable use policy | Implemented |
| 8.24 | Use of cryptography | Y | Encryption is mandatory for data at rest and in transit; approved algorithms are defined in the Cryptography Policy | Implemented |
| 8.25 | Secure development lifecycle | Y | Security requirements, code review, and SAST/DAST are required in the development process for internal tooling | Partially Implemented |
| 8.26 | Application security requirements | Y | Security requirements are defined before development or procurement of any application handling sensitive data | Partially Implemented |
| 8.27 | Secure system architecture and engineering principles | Y | Secure-by-design principles (least privilege, defence in depth, fail-safe defaults) are applied to all system designs | Partially Implemented |
| 8.28 | Secure coding | Y | Developers follow OWASP secure coding guidelines; peer review is required before merging to main branch | Partially Implemented |
| 8.29 | Security testing in development and acceptance | Y | Penetration testing and vulnerability scanning of new systems before production release is required | Partially Implemented |
| 8.30 | Outsourced development | Y | Where development is outsourced, security requirements and code review rights must be included in contracts | Planned |
| 8.31 | Separation of development, test and production environments | Y | Development, test, and production environments are separated; no live client data in dev/test environments | Implemented |
| 8.32 | Change management | Y | All changes to production systems require formal approval, testing, and rollback planning via change management process | Partially Implemented |
| 8.33 | Test information | Y | Test environments use anonymised or synthetic data; no live client PII permitted in test environments | Partially Implemented |
| 8.34 | Protection of information systems during audit testing | Y | Internal audit and penetration testing activities on production systems require controlled access and change management approval | Implemented |
Review History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | March 2026 | [ISM Name] | Initial issue — all 93 controls reviewed |