Select Not/Applicable Controls
Write SOAs
One-click export SOA Reports for ISMS
Watch the video training here (6 mins).
What is a Statement of Applicability?
A Statement of Applicability (SOA) is a document that details which controls you have in place to manage the risks to the security of your businesses' confidential or sensitive information. It is the one document that contains every element you employ to achieve this and is therefore the most important document in your compliance.
The SOA helps an external auditor understand the organization and what controls have been implemented and assessed as part of that organization’s audit.
The Statement of Applicability is a required reporting document for your ISO 27001 ISMS, where you must provide a report demonstrating which controls are/not applicable, provide a corresponding statement and, where appropriate, the control owner. Your ISMS SOA report can be created easily in C1Risk (See below)
EXAMPLE: A Company with all remote workers and no physical office or locales should not have to comply with most physical security requirements.
If you don't have a house (Asset), you don't have a risk of fire (Risk), so you do not need a sprinkler system to protect it (Control)
Whether or not your audit requires a statement of applicability, C1Risk allows you to select the control requirements that are applicable to your company.
Where a Statement of Applicability is needed, that statement can be added in bulk (EG “In scope”) or in established as a unique statement in each control requirement.
Selecting Applicable Controls
When beginning your compliance journey, as you look at the regulation or standard you will be working against, you can evaluate whether or not certain controls are appropriate to your company. Identifying those controls that are not in scope for your company security can save you significant time and money.
- In the obligation record go the control library tab.
- Note that “applicability is displayed in the list view as “unknown”
- Select the controls that are applicable.
- Select all using the i.d. checkbox.
- Single select using the checkbox.
- Group select by holding the “Shift” key and mouse-click.
- Note the number of controls selected displays next to the i.d. box
Option i
Option ii
Option iii
- Go to the ellipsis drop down menu and select "Change Applicability".
2. Select "Yes" or "No". Click ‘Save”
Note the Applicability list view is now updated
Bulk Change the SOA
- Select the controls (follow the above steps)
- Go the ellipsis drop down menu and
- Select "Change SOA".
- Update or write the SOA. Click Save. The SOA can now be viewed in the individual record.
Write a unique SOA in the Control record.
- Go to the Obligation > Control Libraries tab,
- Click on the appropriate record, CTL i.d., to open it.
- Click ‘Change SOA’
2. Update the SOA status and statement, then click ‘Save’.
How to Print the Statement of Applicability Report (ISO 27001, etc.)
- Go to the Obligation > Details tab.
- Use the drop-down menu to select ‘Export SOA Report to Excel
Sample SOA Report
How to Use the SOA Filter in the Control Library
You can apply the SOA filter in the Control Library section to filter and work on only controls ‘in scope’ or review and verify controls ‘not in scope’ for audit.
- In the Control Library, select the ‘Applicability’ Filter and choose the controls you wish to see.
Note, the internal control and evidence tabs will auto-filter to only show what is related to your chosen controls.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article