Control Freaks! SOA Internal Control - Risk Register. Who’s on first?

Written By John Paul Tran

The Statement of Applicability (SOA) defines both which of the suggested 114 controls from Annex A you will implement, and the justification to not implement certain controls. In regards to ISO 27001, an SOA report is required as well as an SOA statement for each control. 

Your SOA can be maintained in the C1Risk platform GRC library and attached to multiple internal controls, as well as risks and assets for unified, automated monitoring of your assets, controls, risks and issues. This information is monitored in your compliance dashboard. 


Video: Learn how to build out your SOAs in the C1Risk Platform

General Application of the SOA

Even putting ISO 27001 certification requirements aside, the SOA is an incredibly useful application and can be used for many Standards or Regulations. Broadly speaking, it helps define your information security overall strategy and control strategy related to your risk register and risk treatment plan. As such, your SOA goes beyond informing your certification audit. Its primary value is as a tool for your organization to monitor and improve your ISMS. Combined with your Internal Controls and Risk Register, you have a detailed overview of how your organization practices information security — a working list of every control, why it’s needed, and a description of how it actually works, all monitored in your GRC automation platform.

Internal Audits

It will also be a focal point for your periodic internal security audits and help you fulfill your requirements to continuously review and improve your ISMS. It serves to help translate your risk assessment and activate your risk treatment plan. What threats does your business face (risk assessment), how do you plan to prioritize and mitigate them (risk treatment plan), and what does that look like in practice (Internal Control/SOA).

Audit/Auditor Certification 

It helps an Auditor validate the Design Effectiveness and Implementation of Controls. During your ISO 27001 certification audit, Your Internal Controls and Statement of Applicability enable your auditor to check whether your controls actually work the way you say they do.

Year Round SOA Reporting - No More Fire Drills

The SOA Report, which lists all applicable/non applicable controls and an explanation (SOA), should be reviewed at least annually. However, the benefit of C1Risk compliance automation is that you are provided with continuous monitoring of your assets, risks, controls and issues and can update your information as and when required, as opposed to conducting an annual fire drill to get ready for your audit. 

About Us...

C1Risk offers subscription-based Software and Support Services that are specifically designed for small to mid-size organizations.

Any size business can now take advantage of our subscription service to provide affordable access to cybersecurity management. 

When you subscribe to the C1Risk platform, you can build a risk-first cybersecurity program; track and value your assets, identify your risks, build your governance and compliance requirements and manage any issues or incidents in real-time on our fully automated, Rest API integrated platform.

John Paul Tran
Previous

CONTROL FREAKS! Internal Controls and how to make them.
Next

Control Freaks! Everything you wanted to know about…