Statement Of Applicability Case Project

This project requires a risk-driven SOA that defends excluded control.

The Scenario

Company: Cloud IA

Industry: B2B SaaS - Data Analytics Platform

Employees: 85 (fully remote)

Infrastructure: 100% cloud (AWS), no physical data centers

Customers: 200+ enterprise clients requiring ISO 27001 certification

Goal: Achieve ISO 27001:2022 certification within 6 months

Risk Assessment Summary

The company has completed a risk assessment identifying these top risks:

Unauthorized access to customer data, Employee laptop theft/loss, Cloud Misconfiguration, Insider Threat, Third-party breach (AWS), Business Continuity Failure

Key Judgments Applied:

• Risk-Driven Inclusions: The SOA links controls back to the specific risks identified in the risk assessment (R-001 to R-006).

• Justified Exclusions: 19 controls are excluded, with the primary driver being the fully remote, no-premises business model, context of the API product and development model. Each exclusion has justification and alternative measures.

• Honest Status: No control is marked "Implemented" without reference. Many are marked "Partial" or "Planned" to accurately reflect the 6-month implementation journey.

• Contextual Reality: The SOA reflects the actual state of a remote-first, cloud IA company. Physical controls are not forced, and the implementation status acknowledges that some formal processes are still being built.

• Auditor Defense Ready: The exclusion summary and alternative measures mapping provide the foundation for an auditor's question about physical security.