Statement of Applicability (SoA)¶
Purpose. The SoA is the central control document of the ISMS (ISO/IEC 27001:2022 clause 6.1.3 d). It lists all 93 Annex A controls, states for each whether it is applicable to Soon, gives the justification for inclusion or exclusion, and points to how/where it is implemented. The auditor uses this document as the map for the entire Stage 2 audit.
Status: DRAFT. Applicability decisions below are set and justified. Many implementing documents are still being tailored from templates (
draft/templatein REGISTER.md); the "Implementation" column reflects the current reality. This document is finalised and approved once the risk assessment (ISMS-DOC-06-2/06-3) is complete and the referenced controls are operating.
How applicability was decided¶
- Driven by the Context & Scope and (once complete) the Risk Assessment (ISMS-DOC-06-2 / 06-3) and Risk Treatment Plan (ISMS-DOC-06-4).
- Soon is a fully-remote, cloud-native SaaS on AWS (eu-west-1) with no offices and no data centres. Physical/environmental controls are therefore largely inherited from AWS (independently certified to ISO/IEC 27001, SOC 1/2, PCI DSS) or not applicable, with justification per control.
- Development is performed in-house; there is no outsourced development.
Summary¶
| Count | |
|---|---|
| Total Annex A controls | 93 |
| Applicable | 84 |
| Not applicable (excluded) | 9 |
Excluded controls: A.7.1, A.7.2, A.7.3, A.7.4, A.7.5, A.7.6, A.7.11, A.7.12 (physical/environmental — no Soon premises, inherited from AWS) and A.8.30 (no outsourced development). Justifications in the tables below.
Legend — Applicable: ✅ Yes · ➖ No (excluded). Implementation: links to the implementing document where one exists; otherwise the planned document ID (see ROADMAP.md).
A.5 — Organizational controls (37)¶
| Control | Title | Applic. | Justification & implementation |
|---|---|---|---|
| A.5.1 | Policies for information security | ✅ | Required. Information Security Policy (ISMS-DOC-05-4) + topic-specific policies in this repo. |
| A.5.2 | Information security roles and responsibilities | ✅ | Required. To be defined in Roles, Responsibilities & Authorities (ISMS-DOC-05-2). TODO(owner): assign ISM and control owners. |
| A.5.3 | Segregation of duties | ✅ | Applicable but constrained by small team; compensating controls (review, logging) used. Segregation of Duties Guidelines (ISMS-DOC-A05-3-1) to create. |
| A.5.4 | Management responsibilities | ✅ | Leadership mandates compliance. Executive Support Letter + management review. |
| A.5.5 | Contact with authorities | ✅ | Need to reach DPAs/CERT. Authorities Contacts (ISMS-DOC-A05-5-1) to create. |
| A.5.6 | Contact with special interest groups | ✅ | Security community/threat sources. Specialist Interest Group Contacts (ISMS-DOC-A05-6-1) to create. |
| A.5.7 | Threat intelligence | ✅ | Threat Intelligence Policy (ISMS-DOC-A05-7-1). |
| A.5.8 | Information security in project management | ✅ | Security considered in product/projects. Guidelines (ISMS-DOC-A05-8-1) to create; partly via Secure Development. |
| A.5.9 | Inventory of information and other associated assets | ✅ | Asset Management Policy; Information Asset Inventory (ISMS-DOC-A05-9-2) to create — high priority. |
| A.5.10 | Acceptable use of information and associated assets | ✅ | Acceptable Use Policy, Electronic Messaging, Online Collaboration. |
| A.5.11 | Return of assets | ✅ | On leaver/change events. Termination & Change Checklist. |
| A.5.12 | Classification of information | ✅ | Classification scheme in use (Public/Internal/Confidential/Restricted). Information Classification Procedure (ISMS-DOC-A05-12-1) to create. |
| A.5.13 | Labelling of information | ✅ | Labelling Procedure (ISMS-DOC-A05-13-1) to create; doc front-matter classification supports this. |
| A.5.14 | Information transfer | ✅ | Encrypted transfer; Electronic Messaging + Online Collaboration. |
| A.5.15 | Access control | ✅ | Access Control Policy (ISMS-DOC-A05-15-1). |
| A.5.16 | Identity management | ✅ | SSO/SAML + unique IDs. Covered by Access Control Policy; User Access Management Process (ISMS-DOC-A05-18-1) to create. |
| A.5.17 | Authentication information | ✅ | MFA enforced for production; password/secret handling in Access Control & Cryptographic policies. |
| A.5.18 | Access rights | ✅ | Joiner/mover/leaver reviews. User Access Management Process (ISMS-DOC-A05-18-1) to create. |
| A.5.19 | Information security in supplier relationships | ✅ | Supplier Relationships Policy (ISMS-DOC-A05-19-1). |
| A.5.20 | Addressing information security within supplier agreements | ✅ | DPAs/agreements with AWS, Stripe, Intercom, etc. Supplier Information Security Agreement (ISMS-DOC-A05-20-1) to create. |
| A.5.21 | Managing information security in the ICT supply chain | ✅ | Supplier due-diligence process (ISMS-DOC-A05-21-1) to create; covered partly by supplier policy. |
| A.5.22 | Monitoring, review and change management of supplier services | ✅ | Periodic supplier review (ISMS-DOC-A05-22-1) to create. |
| A.5.23 | Information security for use of cloud services | ✅ | Cloud Services Policy + Cloud Architecture Policy. Core control (AWS). |
| A.5.24 | Information security incident management planning and preparation | ✅ | Incident Response Procedure + plans (ISMS-DOC-A05-24/26) to create — high priority. |
| A.5.25 | Assessment and decision on information security events | ✅ | Event Assessment Procedure (ISMS-DOC-A05-25-1) to create. |
| A.5.26 | Response to information security incidents | ✅ | Incident Response Procedure (ISMS-DOC-A05-26-1) to create — high priority. |
| A.5.27 | Learning from information security incidents | ✅ | Lessons-learned report (ISMS-FORM-A05-27-1) to create. |
| A.5.28 | Collection of evidence | ✅ | Forensic-readiness steps within incident response. To document in ISMS-DOC-A05-26-1. |
| A.5.29 | Information security during disruption | ✅ | Continuity arrangements; AWS multi-AZ. Business/ICT continuity set (ISMS-DOC-A05-30) to create. |
| A.5.30 | ICT readiness for business continuity | ✅ | Backups, RTO/RPO, AWS redundancy. ICT Continuity Plan (ISMS-DOC-A05-30-4) to create. |
| A.5.31 | Legal, statutory, regulatory and contractual requirements | ✅ | Legal & Regulatory Requirements Procedure; GDPR/NIS2. |
| A.5.32 | Intellectual property rights | ✅ | IP and Copyright Compliance Policy. |
| A.5.33 | Protection of records | ✅ | Records Retention and Protection Policy. |
| A.5.34 | Privacy and protection of PII | ✅ | Privacy and Personal Data Protection Policy; GDPR processor. |
| A.5.35 | Independent review of information security | ✅ | Internal audit + external certification audit. Procedure for Internal Audits (ISMS-DOC-09-2) to create. |
| A.5.36 | Compliance with policies, rules and standards | ✅ | Management review, internal audit, this SoA. |
| A.5.37 | Documented operating procedures | ✅ | Runbooks/operating procedures (ISMS-DOC-A05-37-1) to create/collect. |
A.6 — People controls (8)¶
| Control | Title | Applic. | Justification & implementation |
|---|---|---|---|
| A.6.1 | Screening | ✅ | Employee Screening Procedure + checklist, where legally permissible. |
| A.6.2 | Terms and conditions of employment | ✅ | Guidelines for Inclusion in Employment Contracts. |
| A.6.3 | Information security awareness, education and training | ✅ | Awareness training (ISMS-DOC-07-6) to create; competence development. |
| A.6.4 | Disciplinary process | ✅ | Employee Disciplinary Process. |
| A.6.5 | Responsibilities after termination or change of employment | ✅ | Termination & Change Checklist. |
| A.6.6 | Confidentiality or non-disclosure agreements | ✅ | NDA + Schedule of Confidentiality Agreements. |
| A.6.7 | Remote working | ✅ | Core control for Soon. Remote Working Policy. |
| A.6.8 | Information security event reporting | ✅ | Event Reporting Procedure. |
A.7 — Physical controls (14)¶
Soon has no offices and no data centres. Infrastructure physical security is inherited from AWS (certified). Controls relevant to home working and endpoints remain applicable.
| Control | Title | Applic. | Justification & implementation |
|---|---|---|---|
| A.7.1 | Physical security perimeters | ➖ | No Soon premises; data-centre perimeters inherited from AWS. |
| A.7.2 | Physical entry | ➖ | No Soon premises; AWS data-centre entry controls inherited. |
| A.7.3 | Securing offices, rooms and facilities | ➖ | Soon operates no offices/facilities. |
| A.7.4 | Physical security monitoring | ➖ | Inherited from AWS (data-centre CCTV/monitoring). |
| A.7.5 | Protecting against physical and environmental threats | ➖ | Inherited from AWS (fire/flood/power protections in data centres). |
| A.7.6 | Working in secure areas | ➖ | No Soon secure areas exist. |
| A.7.7 | Clear desk and clear screen | ✅ | Applies to home working. Clear Desk and Clear Screen Policy. |
| A.7.8 | Equipment siting and protection | ✅ | Endpoint siting at home covered by Remote Working Policy; infra inherited from AWS. |
| A.7.9 | Security of assets off-premises | ✅ | All assets are off-premises by design. Remote Working + Mobile Device / BYOD policies. |
| A.7.10 | Storage media | ✅ | Cloud-only; removable media prohibited via Acceptable Use Policy. |
| A.7.11 | Supporting utilities | ➖ | Power/cooling/UPS inherited from AWS; no Soon facilities. |
| A.7.12 | Cabling security | ➖ | No Soon premises/cabling; inherited from AWS. |
| A.7.13 | Equipment maintenance | ✅ | Endpoint patching/maintenance via Mobile Device / Anti-Malware policies; infra maintained by AWS. |
| A.7.14 | Secure disposal or re-use of equipment | ✅ | Secure wipe of endpoints on offboarding (Disposal of Media, ISMS-DOC-A07-14-1, to create); cloud media handled by AWS. |
A.8 — Technological controls (34)¶
| Control | Title | Applic. | Justification & implementation |
|---|---|---|---|
| A.8.1 | User endpoint devices | ✅ | Mobile Device Policy + BYOD Policy. |
| A.8.2 | Privileged access rights | ✅ | Least-privilege; MFA for production. Covered by Access Control; Privileged Utility Register (ISMS-DOC-A08-18-1) to create. |
| A.8.3 | Information access restriction | ✅ | Dynamic Access Control Policy + Access Control Policy. |
| A.8.4 | Access to source code | ✅ | GitHub repo permissions, branch protection, peer review. To document in Secure Development. |
| A.8.5 | Secure authentication | ✅ | MFA enforced; SSO/SAML. Dynamic Access Control + Access Control. |
| A.8.6 | Capacity management | ✅ | AWS autoscaling/monitoring. Capacity Plan (ISMS-DOC-A08-6-1) to create. |
| A.8.7 | Protection against malware | ✅ | Anti-Malware Policy. |
| A.8.8 | Management of technical vulnerabilities | ✅ | Technical Vulnerability Management Policy; dependency scanning; pentest. |
| A.8.9 | Configuration management | ✅ | Configuration Management Policy; IaC. |
| A.8.10 | Information deletion | ✅ | Information Deletion Policy; GDPR erasure. |
| A.8.11 | Data masking | ✅ | Data Masking Policy. |
| A.8.12 | Data leakage prevention | ✅ | Data Leakage Prevention Policy. |
| A.8.13 | Information backup | ✅ | Backup Policy; AWS PITR backups. |
| A.8.14 | Redundancy of information processing facilities | ✅ | Availability Management Policy; AWS multi-AZ. |
| A.8.15 | Logging | ✅ | Logging and Monitoring Policy; CloudWatch, Sentry. |
| A.8.16 | Monitoring activities | ✅ | Monitoring Policy; alerting on availability/error rates. |
| A.8.17 | Clock synchronization | ✅ | NTP via AWS across systems. To note in operating procedures. |
| A.8.18 | Use of privileged utility programs | ✅ | Restricted/logged. Privileged Utility Program Register (ISMS-DOC-A08-18-1) to create. |
| A.8.19 | Installation of software on operational systems | ✅ | Software Policy; controlled deployments. |
| A.8.20 | Networks security | ✅ | Network Security Policy; VPC, security groups, TLS. |
| A.8.21 | Security of network services | ✅ | Covered by Network Security Policy; AWS-managed load balancers/TLS. |
| A.8.22 | Segregation of networks | ✅ | Isolated VPCs; prod/staging/dev separation. Network Security Policy. |
| A.8.23 | Web filtering | ✅ | Web Filtering Policy. |
| A.8.24 | Use of cryptography | ✅ | Cryptographic Policy; TLS 1.2+, AES-256. |
| A.8.25 | Secure development life cycle | ✅ | Secure Development Policy. |
| A.8.26 | Application security requirements | ✅ | OWASP-aligned requirements. Requirements Specification (ISMS-FORM-A08-26-1) to create; in Secure Development. |
| A.8.27 | Secure system architecture and engineering principles | ✅ | Principles for Engineering Secure Systems (ISMS-DOC-A08-27-1) to create; covered by Secure Development. |
| A.8.28 | Secure coding | ✅ | Secure Coding Policy; peer review. |
| A.8.29 | Security testing in development and acceptance | ✅ | CI tests, pentest, acceptance checklist (ISMS-FORM-A08-29-1) to create. |
| A.8.30 | Outsourced development | ➖ | Excluded — development is performed in-house; no development is outsourced. |
| A.8.31 | Separation of development, test and production environments | ✅ | Prod/staging/dev logically separated. Secure Development Environment Guidelines (ISMS-DOC-A08-31-1) to create. |
| A.8.32 | Change management | ✅ | Change Management Process; PR review, CI/CD. |
| A.8.33 | Test information | ✅ | Use of masked/synthetic data in non-prod. To document with Data Masking + Secure Development. |
| A.8.34 | Protection of information systems during audit testing | ✅ | Controlled, read-only access for audits; scoped testing windows. To document in operating procedures. |
Related documents¶
- Context & Scope (ISMS-DOC-04-1)
- Risk Assessment and Treatment Process (ISMS-DOC-06-2) — to create
- Risk Assessment Report (ISMS-DOC-06-3) — to create
- Risk Treatment Plan (ISMS-DOC-06-4)
- ROADMAP.md — status of every referenced document
Change log¶
| Version | Date | Author | Comments |
|---|---|---|---|
| 0.1 | 2026-06-25 | Andrea Cardinali / ISMS | First draft — all 93 Annex A:2022 controls listed with applicability decisions and justifications; implementation references mapped to the repo. Pending completion of the risk assessment and tailoring of referenced documents. |