Statement of Applicability (SoA)
Last Updated: 2026-02-12 Standard: ISO 27001:2022 -- Annex A Review Cycle: Annually
Overview#
This Statement of Applicability (SoA) documents the implementation status of all ISO 27001:2022 Annex A control categories within the cloak.business Information Security Management System (ISMS). All 14 control domains are implemented and actively maintained.
Control Implementation Summary#
| Domain | Status | Controls |
|---|---|---|
| A.5 Information Security Policies | Implemented | 2 |
| A.6 Organization of Information Security | Implemented | 7 |
| A.7 Human Resource Security | Implemented | 6 |
| A.8 Asset Management | Implemented | 10 |
| A.9 Access Control | Implemented | 14 |
| A.10 Cryptography | Implemented | 2 |
| A.11 Physical and Environmental Security | Implemented | 15 |
| A.12 Operations Security | Implemented | 14 |
| A.13 Communications Security | Implemented | 7 |
| A.14 System Acquisition, Development and Maintenance | Implemented | 13 |
| A.15 Supplier Relationships | Implemented | 5 |
| A.16 Information Security Incident Management | Implemented | 7 |
| A.17 Business Continuity Management | Implemented | 4 |
| A.18 Compliance | Implemented | 8 |
A.5 -- Information Security Policies#
Status: Implemented
Information security policies are established, approved by management, and communicated to all relevant personnel. The policy framework includes a top-level Information Security Policy supported by domain-specific policies covering access control, incident response, risk management, and data protection.
- Policies are reviewed annually and updated when significant changes occur
- All personnel acknowledge the information security policy
- Policy exceptions require documented justification and management approval
A.6 -- Organization of Information Security#
Status: Implemented
Information security roles and responsibilities are clearly defined within the organization. Security management is integrated into business operations and project management processes.
- Security responsibilities are assigned to identified roles
- Segregation of duties is enforced for critical functions
- Contact with relevant authorities and special interest groups is maintained
- Information security is addressed in project management regardless of project type
A.7 -- Human Resource Security#
Status: Implemented
Security responsibilities are addressed throughout the employment lifecycle, from pre-engagement through termination.
- Security responsibilities are included in employment terms
- Security awareness training is provided to all personnel
- Disciplinary processes exist for policy violations
- Responsibilities upon termination or change of role are clearly defined
- Return of assets and access revocation procedures are in place
A.8 -- Asset Management#
Status: Implemented
Information assets are identified, classified, and managed throughout their lifecycle.
- An inventory of information assets is maintained
- Assets are classified according to sensitivity and business value
- Handling procedures are defined for each classification level
- Media handling and disposal procedures prevent unauthorized data disclosure
- Removable media usage is controlled and monitored
A.9 -- Access Control#
Status: Implemented
Access to information and systems is controlled through a comprehensive role-based access control system.
- Access control policy defines authorization requirements
- User registration and deregistration processes manage the access lifecycle
- Privileged access is tightly controlled and monitored
- Authentication uses strong password hashing with optional multi-factor authentication
- Regular access reviews verify that permissions remain appropriate
- API access is authenticated and rate-limited
A.10 -- Cryptography#
Status: Implemented
Cryptographic controls protect the confidentiality and integrity of information.
- Encryption in transit: All communications are encrypted using TLS with modern cipher suites
- Encryption at rest: Sensitive stored data is encrypted using AES-256-GCM
- Password hashing: Industry-standard algorithms with salting protect stored credentials
- Key management: Cryptographic keys are managed with defined generation, distribution, storage, rotation, and destruction procedures
- Token signing: Authentication tokens use cryptographic signing to prevent tampering
A.11 -- Physical and Environmental Security#
Status: Implemented (data center level)
Physical security is managed at the data center facility level through our infrastructure provider, which maintains ISO 27001:2022 certification for its physical security controls.
- Data center facility is located in Germany with controlled physical access
- Multi-layer physical access controls (perimeter, building, server room)
- Environmental controls for power, cooling, and fire suppression
- Equipment maintenance and secure disposal procedures
- Visitor management and access logging at the facility level
A.12 -- Operations Security#
Status: Implemented
Operational procedures ensure the secure and reliable operation of information processing systems.
- Documented operating procedures for critical operations
- Change management processes control modifications to systems
- Capacity management ensures adequate resources for service delivery
- Separation of development, testing, and production environments
- Protection against malware through multiple defensive layers
- Backup procedures with defined schedules and retention periods
- Event logging and monitoring for security-relevant activities
- Vulnerability management with regular scanning and patching
A.13 -- Communications Security#
Status: Implemented
Network and information transfer security controls protect data in transit.
- Network architecture employs segmentation and access controls
- Services are isolated behind controlled interfaces
- All external communications are encrypted
- Secure information transfer policies and procedures are defined
- Non-disclosure and confidentiality agreements are in place where required
A.14 -- System Acquisition, Development and Maintenance#
Status: Implemented
Security is integrated into the development lifecycle and system acquisition processes.
- Security requirements are defined for new systems and enhancements
- Secure development practices are followed, including code review
- Input validation and output encoding prevent injection vulnerabilities
- Parameterized queries protect against database injection
- Content security policies mitigate cross-site scripting risks
- Test data is managed to prevent exposure of sensitive information
- Change control procedures govern system modifications
A.15 -- Supplier Relationships#
Status: Implemented
Third-party relationships are managed to mitigate supply chain security risks.
- Information security requirements are included in supplier agreements
- Sub-processors are documented in a maintained directory
- Supplier security practices are evaluated before engagement
- Changes to supplier services are monitored and assessed for security impact
- Data processing agreements are in place with all processors handling personal data
A.16 -- Information Security Incident Management#
Status: Implemented
A structured incident management process ensures effective detection, response, and recovery from security incidents.
- Incident response plan defines roles, procedures, and communication channels
- Incidents are classified by severity with defined response timeframes
- Breach notification procedures comply with GDPR Articles 33 and 34 (72-hour notification)
- Post-incident reviews identify root causes and preventive measures
- Incident response capabilities are tested through regular exercises
- Evidence collection and preservation procedures support investigation
A.17 -- Information Security Aspects of Business Continuity Management#
Status: Implemented
Business continuity measures ensure the availability and resilience of services.
- Business continuity requirements are defined for critical services
- Redundancy and failover capabilities support service availability
- Backup and recovery procedures are documented and tested
- Recovery time objectives and recovery point objectives are defined
- Continuity plans are reviewed and updated annually
A.18 -- Compliance#
Status: Implemented
Compliance with legal, regulatory, and contractual requirements is systematically managed.
- Applicable legal and regulatory requirements are identified and documented
- GDPR compliance is maintained through technical and organizational measures
- ISO 27001:2022 certification is maintained through the ISMS
- Intellectual property rights are respected in all operations
- Privacy and protection of personal data comply with relevant legislation
- Independent reviews of the ISMS are conducted as part of the audit cycle
- Technical compliance is verified through security assessments and vulnerability scanning
Exclusions#
No Annex A control categories are excluded from the scope of the cloak.business ISMS. All 14 domains are applicable and implemented.
Revision History#
| Version | Date | Changes |
|---|---|---|
| 1.0 | 2026-02-09 | Initial SoA publication |
Document maintained by cloak.business Contact: support@cloak.business