Information Security Management

ISO 27001 Statement of Applicability (SoA)

Start with the free templates

Includes all the mandatory document templates — free, no commitment

The SoA is the map that links your risks to your controls. ISO 27001 requires every certified organisation to maintain an SoA that:

  • lists the controls you need;
  • gives a justification for inclusion;
  • states the implementation status; and
  • provides justification for excluding any Annex A controls

Done well, it keeps your ISMS focused on the controls that actually reduce risk.

Written by Alan Parker – ISO 27001 Consultant

Introduction

At the end of ISO 27001, Annex A has 93 controls grouped as Organisational (37), People (8), Physical (14), and Technological (34). It’s these controls that we must capture in the Statement of Applicability and address, one by one.

Organisations need to review each control and respond with how they will address it. The response is maintained in the SoA.

If a control is deemed as ‘not applicable’ (i.e. doesn’t apply to your business), then you mark it down as such in the document, but must give a justification as to why. A good example might be some of the controls in software development – so if you aren’t doing any, any control directly related to development (secure practices, for example) can be marked as ‘not applicable’.

Every organisation will complete its SoA based on its scope, risk appetite, and maturity. So, it won’t be the same for a small company just starting out, vs a multinational pharma company. They have very different DNA and, therefore, different responses in their SoA documents.

What’s Expected in a Statement of Applicability

A clear, single source of truth that anyone in audit or management can read and understand at a glance.

The SoA must contain;

  • Control ID & title (from Annex A)
  • Included? (Yes/No)
  • Justification (for inclusion or exclusion)
  • Status (Implemented / Partially implemented / Not implemented)

It’s then recommended that you also include;

  • Owner (accountable person)
  • Evidence/reference (policy/procedure, ticket, config, repo link)
  • Links to the risk assessment and risk treatment plan

These things make management of the controls a bit easier, but you can add any additional columns you wish.

Here’s an example of what the statement of applicability in ISO 27001 normally looks like;

An example screenshot of a statement of applicability template.

I have included a completed Statement of Applicability in my information security toolkit below that you can tailor to your needs.

ISO 27001 Full Document Toolkit

Every document your auditor
expects to see.

130 Word & Excel templates, ready to edit. Policies, risk register, Statement of Applicability, audit pack, staff communications — all updated for ISO 27001:2022.

130 templates

Instant download

Written by practising consultant

ISO 27001:2022

How to build a SoA

I’d suggest that you don’t start your SoA until you’ve confirmed your scope and the context of the organisation, so that you know what influences your ISMS. After that, hold a workshop on big-ticket risks that keep you awake at night around information security. With these things documented, you can shape your SoA much more effectively than if you jump straight in.

Then to construct your SoA, I suggest the following steps;

  1. Break the SoA into ‘doable’ chunks. If you sit down and try to run through the entire thing in one go, you’ll lose the will to live, so I think you should break it into either families (which are more organisational and technological in focus) or groups of 20 or so at a time.
  2. Sit with your team and discuss the controls. Working on the SoA by yourself is fine in a micro-organisation, but not when you are working as part of a wider team. Discussing the controls, what’s appropriate given your risk appetite, and how you want to approach things always produces better results when you do it collaboratively.
  3. Identify any control you think is out of scope for your organisation, and mark it as ‘not applicable’. However, don’t try to simply skip controls and mark them all as being out of scope. You can only skip them if you have a strong, documented justification.
  4. For each control, determine your minimum viable compliance position. Ask yourself, “How do we meet these controls, simply, and in alignment with our risk appetite – without overdoing it?” You don’t need to implement fancy software and tools for the sake of it, but you do need to implement the control appropriately. And who determines what ‘appropriate’ is? You.
  5. Link each control to supporting evidence, such as a policy or procedure. This isn’t required, but it makes life a lot easier during audits when you can link the control directly to an example of its implementation.

You’ll probably take a few passes through the SoA before you’re happy with it. There may be areas of overlap where you need to align things and ensure there are no contradictions.

ISO 27002

It’s important to understand that there is a supporting standard, ISO 27002, which guides the implementation of the controls in ISO 27001.

ISO 27002 isn’t mandatory – so you don’t have to implement everything it says, but it does provide a reference guide for what good looks like, and something that auditors will be familiar with when they are looking at controls.

So, for example, let’s take control 5.12 from Annex A in ISO 27001.

Example: Control 5.12 — Classification of information

What the control is asking (plain English):
Classify information according to the organisation’s confidentiality, integrity and availability needs (and any interested-party requirements), so people know how strongly to protect it.

How ISO 27002 helps (supporting ideas/guidance — not mandatory):

  1. Set a clear classification policy and ownership
    Create a short, topic-specific policy for information classification, hold owners accountable for classifying their information, and communicate it to relevant parties.
  2. Design a practical classification scheme.
    Base it on confidentiality, integrity and availability needs, plus legal/contractual requirements and real business needs for sharing versus restricting information. Keep it aligned with your access-control approach.
  3. Define levels and criteria that people can actually use
    Name the levels (e.g., four tiers from “no harm if disclosed” up to “serious business impact”) and spell out decision criteria so teams can classify consistently.
  4. Keep it consistent and reviewed.
    Apply the same scheme across the organisation, and build in periodic review so classifications change when information value/sensitivity changes over its life cycle (to avoid over- or under-classification).
  5. Plan for sharing with other organisations.
    When you exchange information externally, include a way to map your labels to theirs so handling expectations stays clear.
  6. Pair classification with labelling
    Have simple labelling procedures (headers/footers, metadata, stamps, etc.) so people and systems can see and act on the classification. This supports automation and reduces mistakes.

How this supports your SoA entry:
In your SoA row for 5.12, you can say it’s “Included” and briefly note that classification is implemented via a documented policy, an organisation-wide scheme (with levels/criteria), defined owners, labelling procedures, and a review cadence—then point to the specific documents and records as evidence. (Those specifics come from 27002’s guidance above.)

I’ve documented my take on each of the controls in Annex A here;

Exploring the Controls of ISO 27001 Annex A

What auditors actually check

In the stage one audit, they’ll fly through the SoA quickly and spot-check a few things. They don’t normally have the time to dive deep. However, in a stage two audit, the auditors will likely spend quite a bit of time reviewing the details of the SoA controls.

What are they actually looking for?

Well, a few things, but typically;

  • Traceability from risks → treatment plans → selected controls → status
  • Clear rationales for every exclusion (no hand-waving)
  • Consistency with reality (evidence and interviews match the SoA)
  • Alignment with the scope and the assets/processes you claim to protect
  • Change control (versions, approvals, recent updates)

It’s not for an auditor to say if the control is technically sound – they are there to review how you have said you have implemented the control based upon your risk assessment, then look at the supporting evidence.

Common mistakes (and easy fixes)

1) Vague justifications for exclusions
If you mark a control “N/A” without saying exactly why, an auditor can’t see your logic and will probe until they can.
How to avoid it: State the concrete reason the control doesn’t apply (scope, technology choice, operating model) and point to the risk/requirement you considered.
Weak: “N/A — not relevant.”
Better: “N/A — we have no on-premise infrastructure; all facilities are co-location with provider physical security, assured via supplier due diligence (SR-12) and contract §4.3.”

2) Putting suppliers out of scope
Cloud and third parties don’t remove your obligations; they change them. Excluding supplier-related controls leaves a gap.
How to avoid it: Keep supplier risk clearly in scope. Use the supplier controls (e.g., due diligence, contracts, monitoring) and reference the evidence you hold (assurance reports, security schedules, SLAs).
Example wording: “Included due to use of critical SaaS and IaaS providers. See Supplier Register (SR-##), DPAs, and quarterly monitoring logs.”

3) Copy-pasting all controls as “Yes”
A blanket “Yes” suggests a tick-box approach and often won’t align with your risk treatment plan.
How to avoid it: Include a control when a risk, legal/contractual duty, or business need demands it. If it’s not applicable, say so clearly. If it’s partially implemented, say that (with a target date).
Tip: Let your risk register drive inclusions; let your scope drive exclusions.

4) Drifting status (stale SoA)
An SoA that doesn’t reflect reality creates audit friction (and sometimes nonconformities).
How to avoid it: Put the SoA under change control with an owner. Review it quarterly or at Management Review, and after material changes (new product, new supplier, incident lessons learned). Show status as Implemented / Partially implemented / Planned with target dates and owners.

5) Mismatch with scope
If your scope says one thing and your SoA implies another, auditors will challenge both.
How to avoid it: Place the scope statement at the top of the SoA and update them together. Where a control decision relies on a scoping assumption (e.g., “no in-scope end-user devices”), state that assumption in the justification.

6) Hiding non-Annex A controls
If you use extra controls (e.g., a bespoke monitoring rule or a contractual safeguard) but don’t show them, your risk treatment looks incomplete.
How to avoid it: Add a short “Additional controls” section or flag them in your table with the same fields (reason, status, owner, evidence). Auditors just need to see how the risk is being treated, even if the control isn’t in Annex A.

Maintenance triggers

You’ll need to review the SoA at least annually, or any time there are major changes that potentially impact your controls, such as:

  • new or decommissioned systems, vendors, or locations;
  • material incidents or near-misses;
  • changes in legal/regulatory/contractual duties;
  • audit findings or risk re-scoring; or
  • organisational restructures affecting ownership.

FAQs

Is the SoA mandatory?

Yes—Clause 6.1.3 requires it, and auditors will rely on it.

How often should we review it?

At least annually and after significant change or incidents.

Who owns The Statement of Applicability?

Typically the ISMS owner or CISO; top management approves.

Where does ISO 27002 fit in?

It’s the guidance for how to implement Annex A controls—use it to shape your justifications and evidence.

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG