ISO 19770-1: 2017 – SoA: In an exercise for a recent review of content of ISO 19770-1, I came across the need to have a Statement of Applicability (SoA) called out as a deliverable of the Standard.
I wanted to put a few points together as to why an SoA is deemed necessary what value it can bring, and what the contents of same might look like.
ISO 19770-1: 2017 – SoA – Background:
Many years ago, Steve Watkins of IT Governance took me through my ISO 27001 Foundation training. This week-long course introduced me to the concept of a Management Systems Standard, and how the headings in such standards were the same, merely the content changed based upon the topic in question.
We then moved onto the Statement of Applicability – and these were the take-away points:
When certification was initially awarded for achieving given management system standards, there was no way of determining the reach or boundary of the said management system – you could very easily be forgiven for thinking that the management system applied to the full boundary of the company’s estate.
Not so!
So a revision was required to qualify the boundary to which a management system applied, and the communication of that boundary to fans of certificates on walls.
Another takeaway from my learning with Steve Watkins was that you could have two versions of your Statement of Applicability: one that is public-facing, and another that could be classed as “Commercial in Confidence”, but that they shouldn’t be able to be confused when compared to one another.
However, that still leaves us with something of a blank page when it comes ITAM – just what information do we bring to the SoA?
What I am about to offer is my own take on the topic. This is not definitive or absolute by any means – merely my thoughts on the matter.
The reason for the summary level of data within the public-facing instance of the SoA is primarily aesthetic. Your certificate is typically one sheet of A4/ Letter when printed, and if an SoA is also printed and placed alongside that certification then it should be the same size. It should also offer relevant information should a reader wish to take matters further. Your Commercial in Confidence SoA does not have to be limited in page size.
Now I know some of you might be reading this and say “Applications in Scope? I could fill a spreadsheet with a reply to this”. There’s nothing to stop you offering a reply of “Available Upon Request”. You could also offer such a qualification for Vendors in Scope as well.
Remember: The public facing SoA is there to offer interested parties just enough knowledge to feel informed, and to field circa 80% of inquiries that might arise should anyone start digging about what SAM/ ITAM does in an organization.
Another important tip (and this is going way back to my days of working at FAST). 9 times out of 10 certification to a Standard will not stop an audit, it merely demonstrates that should a vendor invoke an audit you will have your SAM/ ITAM ducks in a row.
Some people in the industry might then argue “why bother with certification if that’s the case?” I can think of numerous high profile cases where SAM/ ITAM teams were in place, but still failed to prevent 8-figure financial liabilities because doing the right thing seemed too difficult:
“Opportunity is often missed because it is disguised in overalls and looks like work”. {Thomas Edison}
Certification is not merely for the sake of the auditors who stop by, but also for the adjacent areas of the business that SAM/ ITAM rub shoulders with:
- Service Management
- Info Sec
- Mergers & Acquisitions/ Legal
- Procurement
- Business Continuity Management
- Disaster Recovery
A proper risk assessment at the beginning of your ISO journey will tease out these use cases that too often get missed when we hunker down and look to generate compliance reports because “That’s what SAM is all about”.
Summary
Noises are being made to do away with the Statement of Applicability – and I suspect it’s because of the ambiguity relating to its contents. However, many management systems standards get by without one quite easily.
Time will tell whether it survives or not, but for the sake of your business and your ongoing journey up a SAM/ ITAM maturity curve, knowing your boundary of operations will greatly aid in where to go next.
If you would like to read more on ISO 19770-1: 2017, then head over to our main page to learn more.