Verklaring van toepasselijkheid

Statement of Applicability

From Metaware's knowledge center.
Keywords: Statement of Applicability, ISMS, Information Security Management System, control framework, control system, control measures, audit, compliance, ISO27001, quality, quality management, management system, NEN7510, BIO

 

Statement of Applicability - what is it

A statement of applicability (ADA) is a mandatory document within an ISO 27001-certified Information Security Management System (ISMS). It contains an overview of all control measures from Annex A of the standard and indicates which of these measures do or do not apply to the organisation. The statement of applicability thus provides a substantiated insight into the chosen security measures based on the risk analysis carried out. The primary goal of the VvT is to demonstrate that relevant security measures have been consciously selected, implemented or excluded with reasons. In the context of ISO 27001, the HOA is essential for the certification audit, because it forms a direct link between risks, controls and compliance. A similar requirement also applies to NEN 7510, which is specifically aimed at information security in healthcare, with regard to establishing the applicability of security measures. The statement of applicability shows how the organization fulfills standard requirements and offers transparency towards stakeholders. By clearly recording why certain measures have or have not been applied, the document increases the accountability and management of risks. The connection with ISO 27001 and NEN 7510 lies in the shared requirement for systematic risk analysis and control measures. Finally, the declaration of applicability is a living document that must be periodically reviewed in the event of changing risks or organisational changes.

 

Explanation of Applicability vs Control Framework

A control framework is an advanced form of a statement of applicability because it not only describes which measures have been chosen, but also actively manages them within a dynamic structure. Whereas the declaration of applicability is mainly a static document, a control framework offers possibilities for workflow management, such as task assignment to those responsible and automatic notifications of deadlines or changes. This will better guarantee compliance with measures from ISO 27001 and/or NEN 7510 and provide real-time insight into the progress and effectiveness of implementation. Each control in the framework is linked to specific actions, status updates and documentation, making accountability and audit trail easy to follow. By integrating all control measures from the standard within one system, a living and manageable whole is created that supports continuous improvement.

 

Control framework ISO 27001

A control framework for ISO 27001 (version 2022) provides a structured approach to effectively implement, manage and monitor the controls prescribed in this standard. 

Key elements of a control framework for ISO 27001:2022:

1. Risk assessment and management
The basis of an ISO 27001 control framework is risk management. The control framework therefore starts with a systematic approach to risk assessment. The framework should help to:

  • Identify and evaluate risks (where are the vulnerabilities, threats and their impact?).
  • Establish risk criteria (when is a risk acceptable or unacceptable?).
  • Define measures to mitigate identified risks.

This helps organizations assess risk in a consistent manner and prioritize the security measures that matter most.

2. Structure of the control framework
An effective control framework ISO 27001 is built around the 93 controls included in Appendix A of ISO 27001:2022. These are divided into four themes:

  • Organizational measures (e.g., policies, roles, and responsibilities)
  • People measures (such as security awareness and training)
  • Physical measures (such as security of buildings and equipment)
  • Technical measures (such as encryption, access control and logging)

For each measure, a plan is drawn up that describes:

  • The exact control measure.
  • The required technical or organizational solutions.
  • Who is responsible for implementation, compliance and periodic checks.

3. Policies and procedures
The framework should include a set of policies and procedures that meet the requirements of ISO 27001 and support the day-to-day operations of the organization. These are, for example:

  • Information Security Policy.
  • Access control guidelines.
  • Incident management procedures.
  • Procedures for continuous improvement.

This documentation provides employees with guidance and ensures consistency in the implementation of security measures.

4. Assignment of roles and responsibilities
To ensure the effectiveness of the control measures, the framework must define clear roles and responsibilities. This includes:

  • A Chief Information Security Officer (CISO) / Security Officer (SO) or an information security officer.
  • Risk owners who are responsible for specific risks within their domain.
  • Technical and operational teams that perform and maintain controls.
  • Clear allocation ensures accountability and prevents measures from not being followed.

5. Monitoring and reporting
An important part of the control framework is monitoring the effectiveness of control measures. This includes:

  • Carrying out periodic checks and audits (internally or by third parties).
  • Monitoring of anomalies and incidents.
  • Regular risk assessments to detect changes in the organization or in the threat landscape.

The results of these audits are reported to management and form the basis for continuous improvement of the ISMS.

6. Training and awareness
ISO 27001 states that all those involved must be aware of their role in information security. The framework should therefore also include training and awareness programs.
This can consist of:

  • Regular training courses and refreshers for employees on information security.
  • Specific training for IT staff in the field of security.
  • Campaigns to strengthen the overall security culture.

7. Incident Management and Remediation Actions
The framework should include a process for identifying, reporting, and resolving security incidents.
This includes:

  • Setting up an incident response team.
  • Procedures for rapid escalation and follow-up of incidents.
  • A plan for recovery and continuous improvement to apply lessons learned from incidents.

8. Continuous improvement
ISO 27001:2022 requires a cycle of continuous improvement to ensure that the ISMS adapts to new threats and requirements. This means that:

  • The framework is regularly reviewed and adapted.
  • Lessons are learned from audits, incidents and new risk analyses.
  • Improvements are applied systematically, for example using the PDCA (Plan-Do-Check-Act) cycle.
  • Implementation considerations

A well-designed control framework must be flexible and scalable, so that it grows with the organization and aligns with both technological and operational changes. In addition, it is essential to carry out periodic evaluations and checks to ensure that the control measures remain effective and are in line with the current business and risk contours.

Conclusion
A control framework for ISO 27001:2022 is more than just a collection of technical measures. It is a holistic approach that combines policies, procedures, roles, training and technical controls to ensure information security in an integrated and effective way. With a well-designed control framework, an organization can not only certify itself according to ISO 27001, but also structurally strengthen its security posture and proactively manage risks.
 

Control framework ISO 27001 example

As an example , an ISMS -Information Security Management System- control framework has been developed, aimed at ISO 27001, Annex A. A set of 95 controls aimed at information security, if applicable.
The ISMS control framework is part of the management system platform. The assessment results of the effectiveness audits of the relevant control measures are periodically recorded here. A major advantage is that there are direct links with the described management system and the various quality registrations or KPI measurements.
 

verklaring van toepasselijkheid

verklaring van toepasselijkheid

 

Business partners

Metaware likes to work with knowledgeable advisors. We provide the tools - the management system platform - and our business partners have the substantive knowledge, each knowledgeable in their own field. Be it ISO27001, COSO, I SAE3402, COBIT,  BIO, NEN7510, AVG, GDPR or any other control framework.

Click here for the ISO 27001:2022 ISMS control framework from our business partner meta-audit.nl

 

Start your free trial now

We don't have 'shiny leaflets'. Get behind the buttons right away and experience the convenience, overview and productivity improvement.
We help you online and enrich you with the experience and best practices of other users.

Start Now