ISO27001 statement of applicability and how it works.

Compassrose

Compassrose Limited
Back to ISO27001

What is a Statement of Applicability (SoA) in ISO 27001?

A Statement of Applicability (SoA) is the definitive record of which ISO 27001

Annex A: Security controls your organisation.

has implemented—and which it hasn't—within its Information Security Management System (ISMS).


Think of it as the master blueprint that connects your identified risks to the concrete safeguards you have in place. It clearly justifies each decision, showing the auditor the rationale behind your chosen security posture.


As a cornerstone of ISO 27001 compliance, the SoA is typically the primary document requested at the start of a certification audit.

The SoA connects your risk assessment with your risk treatment plan by identifying the controls you have implemented to mitigate the identified risks, the controls that are not applicable, and the justifications for both.


Why Is the Statement of Applicability Important?


Certification Requirement: A mandatory document for achieving ISO 27001 certification.

  • Audit Focus: Auditors heavily scrutinise your SoA to verify your ISMS implementation.

  • Risk Management: Shows how your chosen controls effectively address your risk profile.

  • Transparency: Provides internal and external stakeholders with a clear understanding of your security measures.

  • Recordkeeping: Acts as an ongoing reference document for future surveillance and re-certification audits.


What Should Be Included in a Statement of Applicability?


A well-prepared SoA typically includes:

  • List of Controls: All 114 controls from ISO 27001 Annex A.

  • Applicability: Whether each control is applicable to your organization.

  • Justification: Reason why each control is included or excluded.

  • Implementation Status: Whether each control has been implemented, partially implemented, or not yet implemented.

  • Additional Controls: Any extra controls you have adopted beyond those in Annex A.

How do you sort your company's Statement of Applicability?

  1. Start with your Risk Assessment: Understand the specific risks your organisation faces.

  2. Review ISO 27001 Annex A Controls: Determine applicability based on risk treatment needs.

  3. Document Justifications: Clearly explain why each control is or isn't applicable.

  4. Track Implementation Status: Update the SoA as you roll out or improve controls.

  5. Review Regularly: The SoA must be updated over time — especially before audits.

Common Mistakes to Avoid When Preparing Your SoA


Missing Justifications: Always justify inclusions and exclusions.

  • Ignoring Implementation Status: Auditors expect current, honest reporting.

  • Treating It As "One and Done": The SoA should evolve as your ISMS matures.

  • Poor Linkage to Risk Assessment: Controls must tie directly to identified risks.

The Statement of Applicability isn't just a "tick-box" exercise — it's the heart of your ISMS. It shows how thoughtfully you manage risks and protect your organisation.

When done right, your SoA not only satisfies ISO auditors but also strengthens your overall cybersecurity posture.

For more infromation go to https://compassrose.one/common-iso-standards-compliance/new-iso27001-2022

Compassrose Limited
Privacy policy
Privacy policy

OK
Call nowEmail usFind us