ISO 27001:2022 Documentation for a Government Entity in Saudi Arabia – A Confidential Case Study
Introduction
In the digital era, protecting sensitive information is crucial, especially for government institutions that manage large volumes of public and internal data. A government-owned company in Saudi Arabia partnered with MaxiCert to initiate its journey toward ISO 27001:2022 compliance, starting with the development of two critical components:
- Statement of Applicability (SoA)
- Context of the Organization (COTO) Log
Client Overview (Confidential)
The client operates under the Saudi government and is responsible for delivering public-facing services in the infrastructure and administrative domain. With a growing reliance on digital platforms and cloud-based operations, the organization recognized the need to formally manage information security risks and align with international standards.
Request a free Quote
Objectives of Engagement
- Identify and document all applicable ISO 27001 controls
- Understand internal and external issues affecting information security
- Define interested parties and their expectations
- Develop mandatory ISMS documentation for audit readiness
- Enable future implementation and certification of ISO 27001
MaxiCert’s Scope of Work
MaxiCert was engaged specifically to deliver:
Statement of Applicability (SoA)
A core ISO 27001 requirement, the SoA was developed to:
- Review each Annex A control (A.5 to A.18)
- Determine applicability based on business relevance
- Define implementation status and supporting evidence
- Include justification for exclusions with traceable references
- Align controls with the company’s documented policies and processes
Key features:
- Mapped 114 controls across functional and IT departments
- Cited reference documents and procedures for each applicable control
- Included version control, remarks, and scope of implementation
- Identified areas of non-applicability with justification (e.g., controls related to development environments not in use)
Context of the Organization (COTO) Log
MaxiCert worked closely with department heads to capture:
- Internal and external issues impacting ISMS
- A full register of interested parties, including regulators, employees, auditors, and local communities
- Needs and expectations of each stakeholder
- Reason for inclusion and their impact on business processes
- Document reference integration for audit readiness
This log helped define the ISMS scope and ensured top management understood key influencing factors, such as:
- Risk of litigation from external legal entities
- Stakeholder demands for transparency and service reliability
- Community expectations regarding environmental and digital impact
- Employee concerns about data privacy and operational integrity
Challenges Addressed
- Lack of awareness about ISO 27001 requirements within departments
- No formal documentation or references for information security controls
- Difficulty identifying non-applicable clauses and providing evidence
- No structured mechanism for analysing interested parties
Deliverables & Impact
By the end of the engagement, MaxiCert successfully delivered:
- A fully detailed Statement of Applicability, ready for internal audit
- A comprehensive Context of the Organization register
- Increased awareness among the management and IT teams about ISMS fundamentals
- A structured foundation for future ISO 27001 implementation and certification
Conclusion
This project highlights how MaxiCert supports organizations in early-stage ISMS development, even before full implementation begins. With well-structured SoA and COTO documentation, the client now possesses the core elements needed for policy creation, risk assessment, and auditor engagement.
Need A Free Estimate?
Get a free consultation and Checklist to get certified for ISO , HALAL, CE Mark Certification.
FAQ
What is a Statement of Applicability (SoA) in ISO 27001?
The SoA is a mandatory document that lists all 114 Annex A controls of ISO 27001. It identifies which controls are applicable to the organization, provides justifications for their inclusion or exclusion, and links each control to implemented policies, procedures, or evidence. It’s a critical document during audits.
Why is the Context of the Organization (COTO) important for ISO 27001?
The COTO defines internal and external factors, as well as interested parties that influence your information security management system. It ensures the ISMS scope is relevant and aligned with the organization’s real-world risks and stakeholder expectations.
Can a company start ISO 27001 implementation with just SoA and COTO?
Yes. In fact, SoA and COTO are two of the first documents you need to build a compliant ISMS. They form the base for defining scope, risks, and control selection — paving the way for policy development, training, and audit readiness.
How long does it take to prepare these documents professionally?
With MaxiCert’s expert team, SoA and COTO preparation usually takes 1 to 2 weeks, depending on company size and availability of input from internal stakeholders. These documents are tailored and audit-ready from day one.
