A misconception about the ISO 27001 Statement of Applicability (SOA) is that this document should be classified as public, viewable by anyone requesting to view it. Classifying the document as such could be potentially dangerous to your organization, breaching the Information Security Management System it represents. To understand why this could be detrimental to your ISMS security we must first understand the purpose of the SOA, and its intended audience.
The Statement of Applicability is one of the key documents for your ISMS, an output derived from the organization’s Risk Assessment and Risk Treatment plan which contains the controls selected for your organization. The document contains explanations and justifications which could include specific details as to what, when, where, and how. These controls may be based on ISO 27002 (Information technology – Security techniques – Code of practice for information security management) and likely reference internal policies, procedures, or guidelines.
Take this key document, which has every control you have implemented along with detailed descriptions, and imagine it in the hands of an attacker. The first and most important step of an attack is reconnaissance, also known as information gathering. With access to a detailed SOA, an attacker has all this information at their disposal.
Mitigating these risks can be done a number of ways, ranging from onsite supervised access, to completely restricting access to the information. These risks should be evaluated by your information security committee and an appropriate risk response implemented.