BIZOPS- 60- PIMS Statement of Applicability

What is this control about?

“PIMS Statement of Applicability” is important for organizations to establish a clear and comprehensive document that outlines the scope, controls, and applicability of their Privacy Information Management System (PIMS). The Statement of Applicability (SoA) serves as a key reference for managing privacy-related risks and ensuring compliance with applicable privacy laws and regulations.

Available tools in the marketplace

Tools:

TrustArc

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Leverage this template PIMS ISO 27001_2022 SOA template_

Control implementation

Here are some guidelines to implement an effective records of PIMS Statement of Applicability program:

• Understand the Privacy Management Framework: Familiarize yourself with the organization’s privacy management framework, including its Privacy Information Management System (PIMS) and related policies, procedures, and guidelines. This will provide you with an understanding of the organization’s privacy goals, processes, and the context in which the SoA will be developed.
• Identify Applicable Privacy Controls: Identify the privacy controls that are relevant to the organization’s operations and the specific context of its PIMS. These controls should address the organization’s privacy risks and align with applicable privacy laws, regulations, and industry best practices. Consider frameworks such as ISO 27701, GDPR, or industry-specific standards to guide control selection.
• Document the Privacy Control Framework: Document the privacy control framework, including the control objectives, control descriptions, and control references. This documentation should provide a clear overview of the privacy controls selected for the organization’s PIMS. Ensure that the control descriptions are concise, understandable, and aligned with the organization’s privacy objectives.
• Assess Control Applicability: Evaluate the applicability of each privacy control to the organization’s specific context. Consider the organization’s scope, activities, processes, systems, and the nature of personal information being processed. Determine if each control is applicable, partially applicable, or not applicable to the organization’s PIMS. Justify the assessment based on the organization’s specific circumstances.
• Determine Control Implementation Status: Determine the implementation status of each applicable privacy control. Assess whether the control is fully implemented, partially implemented, or not yet implemented within the organization’s PIMS. Document the implementation status for each control in a structured format, such as a matrix or table.
• Document the Statement of Applicability: Prepare the Statement of Applicability (SoA) document, which summarizes the control framework, control applicability, and implementation status. Include a clear statement of the organization’s scope, the purpose of the SoA, and any assumptions or exclusions. Structure the SoA in a logical and organized manner, making it easily understandable and accessible to relevant stakeholders.
• Review and Approve the SoA: Conduct a review of the SoA by relevant stakeholders, such as privacy officers, legal experts, and senior management. Seek their input, feedback, and approval to ensure the accuracy and completeness of the SoA. Obtain necessary sign-offs or approvals to demonstrate ownership and commitment to the SoA.
• Communicate and Distribute the SoA: Share the finalized SoA with key stakeholders, such as employees, management, auditors, and regulators. Ensure that the SoA is accessible to relevant parties and stored in a central location or document management system. Communicate the purpose, significance, and relevance of the SoA to raise awareness and understanding of the organization’s privacy controls.
• Periodic Review and Updates: Regularly review and update the SoA to reflect changes in the organization’s privacy landscape, regulatory requirements, or other relevant factors. Conduct periodic assessments to ensure the continued relevance and accuracy of the control framework, applicability assessments, and implementation status. Document any changes made to the SoA and maintain a version history.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Statement of Applicability Document: The primary evidence auditors look for is the SoA document itself. This document should clearly outline the scope of the PIMS, the privacy controls selected, their applicability assessment, and the implementation status. The SoA should be comprehensive, well-structured, and regularly updated to reflect any changes or updates to the organization’s privacy control framework.

Evidence example

For the suggested action, an example is provided below:

• Statement of Applicability Document

Leverage this template PIMS ISO 27001_2022 SOA template_