top of page

Check out the brand new FREE ISO 27001 Information Security Toolkit!

Exploring the ISO 27001 Statement of Applicability

Introduction to the Information Security Management System

ISO 27001:2022 is an international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).


The standard helps organisations of all sizes and sectors protect their information assets and manage the security of sensitive data, whether it’s related to employees, customers, or business operations.


A key component of ISO 27001:2022 is the Statement of Applicability (SoA). The SoA plays a crucial role in connecting the risks identified by the organisation with the controls chosen to mitigate those risks.



It is considered a central document within the ISO 27001 framework. It is a pivotal reference guide for stakeholders and is essential during certification audits. Thus, it serves as a roadmap for how an organisation intends to safeguard its information and ensure compliance with the ISO 27001 framework.




This article explains the Statement of Applicability, why it is important, how it is constructed, and how organisations can best use it as part of their ISMS.


What is the Statement of Applicability?

The Statement of Applicability (SoA) is a document required by ISO 27001:2022 that lists the information security controls an organisation has chosen to implement as part of its Information Security Management System (ISMS).


This SoA document serves multiple purposes, primarily as a bridge between the risks identified during the risk assessment and the organisation's controls to address these risks.


The SoA includes:

  • A list of all applicable controls from Annex A of ISO 27001 contains the reference set of information security controls.

  • Justifications for inclusion or exclusion of each control based on the organisation’s risk assessment.

  • The implementation status of each control (whether implemented, partially implemented, or not).


The SoA is not just a compliance checklist. It’s a dynamic document tailored to each organisation’s specific context. Each organisation faces unique risks depending on its size, industry, and operational environment, so the SoA helps ensure that the controls selected are relevant and proportionate to the risks.



In short, the Statement of Applicability explains:

  1. Which controls are selected from the standard?

  2. Why were those controls selected (or not selected)?organisation

  3. How the organisation will implement these controls.


Importance of the Statement of Applicability

The Statement of Applicability (SoA) is a cornerstone of the ISO 27001:2022 certification process and the broader Information Security Management System (ISMS).


It is a vital document for several reasons, all of which contribute to an organisation’s ability to manage risk and maintain security compliance.


The SoA outlines necessary controls and specifies exclusions for mitigating information security risks.


1. Compliance with ISO 27001

The SoA is a mandatory document for organisations seeking ISO 27001 certification. Auditors will review it during certification and surveillance audits to ensure the organisation’s security measures align with the standard.


The SoA demonstrates that the organisation has conducted a thorough risk assessment and chosen appropriate controls to manage those risks.


2. Tailored Risk Management

One of the key strengths of the SoA is that it ensures the organisation’s security controls are tailored to specific risks. Rather than using a one-size-fits-all approach, the SoA aligns the selection of controls with the actual threats the organisation faces. This means that the company is not just implementing controls for compliance but is using them strategically to protect valuable information.


3. Transparency and Accountability

The SoA clearly documents which controls are in place, why they were chosen, and whether they have been implemented. This transparency is essential for internal accountability, as it ensures that management and staff understand their roles and responsibilities regarding information security.


Moreover, it creates a clear record for external stakeholders, such as customers and regulatory bodies, showing the organisation’s commitment to protecting information.


4. Flexibility and Scalability

As organisations evolve, so do their risks. The SoA offers flexibility to update and modify controls as new risks emerge or the organisation grows. It helps ensure the ISMS remains scalable and adaptable to changing business needs and technological advancements.


5. Facilitating Communication Across the Organisation

By documenting security controls and their justifications, the SoA facilitates communication across different departments. It is a reference point for various teams (IT, legal, operations) to understand how their functions contribute to the overall information security posture. This helps break down silos and ensures cohesive action when it comes to protecting sensitive information.





Components of the Statement of Applicability

The Statement of Applicability (SoA) is a comprehensive document containing several key components, all necessary necessary to serve its purpose within the ISMS.


Each component is specific in ensuring that the selected controls align with the organisation’s risk landscape and operational needs.


The risk assessment report is also crucial in the context of ISO 27001 documentation requirements. It identifies and analyses risks to the ISMS, providing a detailed basis for defining necessary controls.


1. List of Controls

The SoA contains a list of all controls, particularly those from Annex A of ISO 27001, which provides a reference set of controls for managing information security risks.


These controls cover many areas, including organisational security policies, physical security, and cybersecurity measures.


Each control from Annex A is either:

  • Included: Chosen for implementation because it is deemed necessary to mitigate identified risks.

  • Excluded: Not chosen, with a clear justification for why it does not apply to the organisation’s specific context.


2. Justification for Control Selection

For each control, the SoA must explain why the control has been selected or excluded. This justification is based on the organisation’s risk assessment and security strategy. If a control is not relevant to the organisation due to its size, industry, or specific risk profile, the reasoning for its exclusion must be documented.


For example:


  • A small, office-based company may not need extensive physical security measures, and it can justify the exclusion of certain physical controls.

  • On the other hand, an organisation in the financial sector may include enhanced access control measures due to the sensitive nature of the data it handles.


3. Status of Implementation

The SoA also documents the status of each control. This section outlines whether a control is:


  • Implemented: Fully in place and operational.

  • Partially implemented: Some steps have been taken, but the control is not fully operational.

  • Not implemented: The control has been identified but has not yet been actioned.


This component of the SoA clearly shows the organisation’s current security posture and highlights areas where further effort or resources are needed to implement necessary controls.



4. Justification for Exclusion

In cases where a control from Annex A is excluded, the SoA must include a clear justification for its exclusion. This might be because the control does not align with the organisation's specific risk profile or because the organisation has an alternative method to mitigate the risk. These exclusions must be defensible during an audit, as auditors will look closely at the reasoning behind omitted controls.


For example, if a control related to encryption is excluded, the organisation may need to explain that it has alternative, equally secure methods for protecting sensitive data.


5. Link to Risk Assessment

The SoA should be directly linked to the organisation’s risk assessment process. Each chosen or excluded control must correspond to specific risks identified during this assessment. This ensures that the SoA is grounded in the organisation's actual threats rather than being a theoretical or arbitrary document.


How to Create and Maintain the Statement of Applicability


Creating and maintaining the Statement of Applicability (SoA) is a structured process that requires careful attention to the organisation’s risk landscape and the ISO 27001:2022 requirements.


A crucial part of this process is developing a risk treatment plan outlining how identified risks will be addressed, detailing mitigation strategies and assigning responsibility for each risk. This section outlines the steps involved in developing and keeping the SoA up to date as part of an effective Information Security Management System (ISMS).


1. Conduct a Thorough Risk Assessment Process


The first step in creating the SoA is a comprehensive information security risk assessment. This process identifies potential threats to the organisation's information assets and evaluates their likelihood and impact. The risk assessment aims to identify where security controls are needed to mitigate identified risks.


During this assessment, the organisation:


  • Defines risk criteria (e.g., what levels of risk are acceptable).

  • Identifies threats and vulnerabilities to information assets.

  • Prioritises risks based on their severity, guiding the selection of appropriate controls.


2. Select Applicable Controls from Annex A


Once the risks have been identified, the next step is to determine which controls from Annex A of ISO 27001 are applicable.


Each control in Annex A corresponds to a specific type of risk, and organisations must evaluate which controls address the risks they have identified.


Controls should be chosen based on:


  • Risk treatment decisions: These decisions outline how the organisation will mitigate or manage risks, either by implementing controls, accepting the risk, or transferring it (e.g., through insurance).

  • Business requirements: Some controls may be necessary to comply with legal, regulatory, or contractual obligations.


3. Document Control Status


As part of the SoA, the organisation must record the status of each control.


For each selected control, it is important to clarify whether the control is already in place, is being implemented, or has not yet been started. This documentation provides a clear picture of the organisation’s current security posture and highlights where further action is needed.



4. Provide Justifications for Control Selection or Exclusion


For each control, the SoA must include a justification for its selection or exclusion. Controls that are chosen should be supported by the risks they mitigate, while excluded controls must have a clear rationale as to why they are not applicable.


For instance, if a control related to network access restrictions is chosen, the justification might be that it mitigates the risk of unauthorised access to sensitive information. Conversely, if a control is excluded, the organisation must document why it is unnecessary, such as not handling specific types of sensitive data.



5. Review and Approve the SoA


Once the initial SoA has been drafted, it should be reviewed by relevant stakeholders within the organisation, including management and information security personnel. This ensures that the SoA aligns with the organisation’s overall security objectives and risk appetite. It also provides a final opportunity to identify any gaps or areas needing improvement.


The SoA must be approved by top management, as it is a critical document that impacts the organisation’s security strategy and certification process.



6. Ongoing Maintenance of the SoA


The SoA is a living document that must be regularly updated to reflect changes in the organisation’s risk landscape, business operations, and technological environment. Events that may trigger a review or update of the SoA include:


  • Changes in the business environment: such as expansion, new partnerships, or mergers.

  • Emerging threats: such as new cybersecurity vulnerabilities or regulatory changes.

  • Audit findings: external or internal audits may reveal gaps or issues that require updates to the SoA.


To ensure that the SoA remains relevant, it should be reviewed:


  • Periodically, as part of the ISMS performance evaluation.

  • After major incidents or security breaches, where controls may need to be adjusted.

  • During management reviews, to ensure ongoing alignment with business and security objectives.


Tools and Resources for Support


Implementing and maintaining an ISO 27001-compliant Information Security Management System (ISMS) can be a complex and time-consuming process.


Fortunately, there are various tools and resources available to support organisations in their efforts to achieve and maintain ISO 27001 certification.


1. Software Solutions


Several software solutions can help organisations streamline their ISMS implementation and maintenance.


These solutions can assist with tasks such as risk assessment, risk treatment planning, control implementation, and monitoring. They also facilitate compliance management and reporting, as well as document management and version control.


Some popular software solutions for ISO 27001 compliance include:


  • Compliance management platforms like Secureframe and Sprinto, which help manage and automate compliance tasks.

  • Risk management software such as Riskonnect and RSA Archer, which provide tools for conducting thorough risk assessments and developing risk treatment plans.

  • Document management systems like SharePoint and Documentum, which offer robust features for managing and controlling document versions, ensuring that all ISMS documentation is up-to-date and accessible.


By leveraging these software solutions, organisations can enhance the efficiency and effectiveness of their ISMS, ensuring that all necessary controls are implemented and monitored effectively.


2. Guidelines and Frameworks

In addition to software solutions, various guidelines and frameworks can provide valuable support for ISO 27001 implementation and maintenance. These resources offer detailed guidance on information security controls, risk management, and compliance.


Key guidelines and frameworks include:


  • ISO 27002:2013: This standard provides guidelines for the implementation of information security controls, offering detailed advice on how to apply the controls listed in ISO 27001.

  • NIST Special Publications: These documents offer comprehensive guidance on risk management and security controls, helping organisations to identify and mitigate information security risks effectively.

  • ENISA guidelines: The European Union Agency for Cybersecurity (ENISA) provides recommendations for information security risk management, helping organisations to develop robust security measures.

  • Industry-specific frameworks: Standards such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) offer tailored guidance for specific sectors, ensuring that organisations meet industry-specific security requirements.


By following these guidelines and frameworks, organisations can ensure that their information security controls are aligned with best practices and regulatory requirements.


3. Professional Services and Consultations

For organisations that require additional support, professional services and consultations can be a valuable resource. These services can provide expert guidance on ISO 27001 implementation and maintenance, helping organisations to navigate the complexities of the standard.


Professional services and consultations can include:


  • ISO 27001 implementation and maintenance support: Expert consultants can assist with the entire process of implementing and maintaining an ISMS, ensuring that all requirements are met.

  • Risk assessment and risk treatment planning: Professional services can help organisations conduct thorough risk assessments and develop effective risk treatment plans.

  • Control implementation and monitoring: Consultants can provide guidance on implementing and monitoring information security controls, ensuring that all necessary measures are in place.

  • Compliance management and reporting: Professional services can assist with managing compliance tasks and preparing for ISO 27001 certification audits.

  • Auditing and certification support: Specialised firms can provide support during the auditing and certification process, helping organisations to achieve and maintain ISO 27001 certification.


Some popular providers of professional services and consultations for ISO 27001 compliance include consulting firms like Deloitte and KPMG, auditing firms like Ernst & Young and PwC, and specialised ISO 27001 consulting firms like ISMS.online and IT Governance.


By leveraging these tools and resources, organisations can ensure that their ISMS is properly implemented and maintained, and that they are well-prepared for ISO 27001 certification audits.


Challenges and Best Practices

While the Statement of Applicability (SoA) is a critical tool for managing an organisation’s information security controls, creating and maintaining it can come with certain challenges. Information security management systems (ISMS) play a crucial role in conducting risk assessments by identifying information assets and assessing associated risks to ensure their confidentiality, integrity, and availability.


To overcome these, organisations can apply best practices to ensure the SoA is not only compliant with ISO 27001:2022 but also effective in managing information security risks.


Common Challenges


  1. Complexity in Control Selection Choosing the right controls from Annex A can be complex, especially for organisations with limited experience in information security. The challenge is to ensure that the selected controls are relevant and proportional to the actual risks the organisation faces. Selecting too few controls may leave gaps, while too many controls can lead to unnecessary complexity and resource strain.

  2. Keeping the SoA Updated Information security threats evolve rapidly, and an organisation’s business operations may also change over time. Keeping the SoA up to date in response to new risks, technological advancements, or changes in organisational structure can be a challenge, especially if the review process is not well defined.

  3. Balancing Security and Operational Needs Implementing controls can sometimes impact the efficiency of business operations. For example, stricter access control policies might slow down workflows if not carefully planned. Finding a balance between security and operational efficiency requires careful risk assessment and stakeholder involvement.

  4. Lack of Documentation for Justifications Some organisations struggle to provide thorough justifications for the inclusion or exclusion of controls. This lack of documentation can lead to issues during an ISO audit, where auditors expect clear reasoning for each decision.


Best Practices


  1. Align the SoA with Business Goals The SoA should not be viewed as a standalone security document, but rather as part of the broader business strategy. Organisations should align their selection of controls with both business objectives and risk appetite. This ensures that security measures support business growth and operational resilience.

  2. Engage Stakeholders Early Developing the SoA should involve key stakeholders from across the organisation, including IT, legal, human resources, and senior management. This cross-functional engagement ensures that all departments understand the rationale behind selected controls and contribute to their successful implementation.

  3. Automate SoA Reviews and Updates To streamline the process of keeping the SoA updated, organisations can use automated tools to track changes in risk levels, compliance requirements, and control effectiveness. Tools that integrate with the ISMS can help automatically flag areas where the SoA may need updating based on new risks or audit findings.

  4. Regular Training and Awareness The SoA should be part of a broader information security training program. Employees at all levels should be aware of the controls that are in place and their roles in supporting these measures. Regular training ensures that controls are followed in practice, not just documented.

  5. Conduct Regular Audits and Assessments Regular internal audits help ensure that the SoA remains effective and that the controls are being implemented correctly. Audits can also identify any gaps where controls may need to be added or adjusted. Organisations should schedule these audits at least annually, or whenever significant changes to the business occur.

  6. Document Detailed Justifications When justifying the inclusion or exclusion of controls, it is essential to provide detailed explanations. This includes linking decisions directly to the results of the risk assessment and explaining alternative methods if a control is excluded. This level of documentation will not only satisfy auditors but also provide a clear rationale for decision-making that can be revisited in the future.

Conclusion


The Statement of Applicability (SoA) is a fundamental document within the ISO 27001:2022 framework, serving as a bridge between the risks identified in an organisation’s risk assessment and the controls implemented to mitigate those risks. Its role extends beyond compliance, providing a transparent and strategic approach to managing information security across the organisation.


A well-developed SoA demonstrates that an organisation:


  • Has conducted a thorough risk assessment.

  • Carefully selected and implemented controls tailored to its specific risks.

  • Justified the inclusion or exclusion of controls in line with its business objectives and regulatory requirements.


By keeping the SoA updated and integrating it into the organisation’s broader Information Security Management System (ISMS), the SoA becomes a living document that evolves alongside the organisation, ensuring that security measures remain relevant and effective over time.


In conclusion, organisations that invest in creating and maintaining a robust SoA will not only meet the requirements of ISO 27001 but also significantly strengthen their information security posture, fostering trust with customers, partners, and regulatory bodies. Continuous review, stakeholder engagement, and a commitment to balancing security with business needs will ensure that the SoA remains a valuable tool in safeguarding information assets.

Comments

1/21

Never miss another article.

About the author

Alan Parker is an IT consultant and project manager who specialises in IT governance, process implementation, and project delivery. With over 30 years of experience in the industry, Alan believes that simplifying complex challenges and avoiding pitfalls are key to successful IT management. He has led various IT teams and projects across multiple organisations, continually honing his expertise in ITIL and PRINCE2 methodologies. Alan holds a degree in Information Systems and has been recognised for his ability to deliver reliable and effective IT solutions. He lives in Berkshire, UK, with his family.

bottom of page