Cyber incidents will become the leading risk to businesses worldwide by 2025, according to a survey of risk management experts. ISO 27001 compliance offers a well-laid-out approach to information security management amid rising threats. Many organizations find it challenging to create a crucial document that sits at the framework’s core – the Statement of Applicability (SoA).
Clause 6.1.3 of the standard specifically mentions the Statement of Applicability ISO 27001 document. This document connects risk assessment with information security implementation. Organizations must have an SoA ISO 27001 to receive certification, and it forms the foundation for internal and external audits. A poorly prepared SoA can lead to certification denial.
The 2022 ISO 27001 update brought changes to Annex A, which reduced information security controls from 114 to 93. Your SoA must carefully document these controls, now grouped into four main categories. Auditors rely on the SoA to get a full picture of your implemented controls before your ISO 27001 audit.
This piece explores the Statement of Applicability’s importance for ISO 27001 compliance. You’ll learn how it ties into your risk management process and the best ways to create an audit-ready document that enhances your information security stance.
The Role of the SoA in ISO 27001 Certification
The Statement of Applicability is the life-blood of ISO 27001 certification. It’s much more than just another document in the compliance process. Many organizations don’t realize its true value. The SoA acts as the vital connection between risk identification and security measure implementation. Let me get into why this document matters so much to your certification trip.
Why the SoA is a mandatory document
ISO 27001 standard makes it clear – you need a Statement of Applicability. This isn’t just paperwork. The SoA serves as the main bridge that connects your risk assessment to risk treatment processes within your information security management system.
You can’t get ISO 27001 certification without a properly prepared SoA. On top of that, it shows which controls you need beyond risk management – like legal requirements, vendor contracts, and business needs. You must document these reasons clearly to show your detailed approach to information security.
The SoA must be included because it shows a complete view of your security setup. It gives auditors solid proof that your organization picked the right controls based on your specific risks and situation. Your security measures aren’t random – you chose them through a clear process.
How auditors use the SoA during certification
Auditors rely on the SoA as their main reference document. You could call it their “cheat sheet” for checking your ISMS setup. The certification usually goes like this:
- Your SoA needs to be ready for the Stage 1 certification audit
- Auditors take a deeper look at it during Stage 2
- The final version becomes part of your ISO 27001 certification papers
Auditors check your information asset list, look at identified risks, and review risk evaluations and treatments. They want real proof that you’ve set up the controls mentioned in the SoA. They use it as their roadmap through your ISMS.
A well-laid-out SoA helps you get ready for audits and reduces certification risks. Problems in this document can stop you from getting certified. Many organizations fail ISO 27001 audits because auditors lose faith in their ISMS when they see poorly managed docs.
SoA as a summary of your ISMS implementation
The SoA does more than meet certification requirements. It gives executives a quick overview of your security approach. Each control gets its own row in a detailed yet simple format that works great for management teams and stakeholders.
Your SoA tells the story of how you handle security – showing if your approach makes sense, focuses on risks, and meets customer needs. This summary helps in several ways:
- Shows you’re serious about managing information security risks
- Builds trust with people worried about data security
- Makes your security measures clear to everyone
- Makes it easier to talk with partners and management
Don’t treat the SoA like a one-time certification document. It should grow and change as your organization’s digital world changes. Regular updates keep it useful and true to your current security setup.
Organizations that manage to keep their SoA current, include it in internal audits, and review it with management find it helps them run better security controls. The SoA becomes your main window into how well your ISMS works.
How the SoA Connects to Risk Assessment and Treatment
Image Source: Advisera
The Statement of Applicability creates a clear connection between your risk assessment processes and security controls. This vital document works as a bridge. It connects potential problems with your preventive measures.
How the SoA Connects to Risk Assessment and Treatment
Linking SoA to risk identification and evaluation
The SoA connects your information security risk assessment work with control implementation. You need to identify and evaluate risks to your valuable information assets. The SoA then shows exactly where you chose to implement security measures from the 93 control objectives in Annex A.
This connection works both ways. Every control in your SoA traces back to a specific risk from your assessment. Your leadership and security teams can make better decisions quickly with this context. A new service provider might bring sensitive data flows. The SoA helps you spot which controls need updates.
Your organization can line up with ISO 27001:2022 requirements when you map risk assessment results to the SoA. This gives you a clear path to implement the work to be done. Risk assessment results in the SoA help you simplify compliance work. You can cut down on paperwork and boost how well your organization runs.
Using the SoA to document risk treatment decisions
Your organization must decide how to handle each risk after identifying and analyzing them. ISO 27001 suggests four main ways to treat risks:
- Mitigate/Treat – Apply controls to reduce the risk (e.g., implement multi-factor authentication)
- Avoid/Terminate – Change processes to eliminate the risk altogether
- Transfer/Share – Pass the risk to a third party (through cyber insurance or outsourcing)
- Accept/Tolerate – Accept risks that don’t have much impact or aren’t worth fixing
Your SoA records these treatment decisions. It shows which Annex A controls you picked to handle specific risks. You must explain why you included or excluded each control. Your explanation should link to specific risks, business needs, and any rules you must follow.
Control A.5.31 – “Legal, statutory, regulatory, and contractual requirements” needs attention in your SoA. Many ISO 27001 controls become mandatory whatever your risk assessment shows.
Examples of control selection based on risk
Let’s look at an organization that found risks of unauthorized access to sensitive customer data. Their assessment showed threats from both outside attacks and internal mistakes. Here’s what they did:
- They used control A.5.15 to protect sensitive information. This control gives access only to those who need it, following the principle of least privilege.
- They tackled email risks with controls like A.5.14 (information transfer) and A.6.4 (disciplinary process).
- They fought malware threats with control A.8.7 (Protection against malware). This control includes guidelines for malware defense through controlled access, change management, and anti-malware software.
Each control links directly to risks found during assessment. Risks and controls work together to create a security framework. This framework handles unique threats while meeting ISO 27001 requirements.
The SoA becomes more than a compliance document. It turns into a risk management tool that shows how each control handles specific security concerns. This clarity helps stakeholders understand security investments. They can focus resources on fixing the most important risks.
What to Include in Your ISO 27001 SoA Document
Image Source: High Table
You need to pay close attention to detail and document everything when you create a complete Statement of Applicability document. The SoA works as the master list of Annex A controls that apply to your Information Security Management System (ISMS). A well-laid-out SoA helps auditors understand your security approach and verify ISO 27001 compliance.
List of 93 Annex A controls
The 93 Annex A controls from ISO 27001:2022 are the foundations of any SoA. These controls fall into four main categories:
- A.5: Organizational controls (37) – They cover information security governance, policies, roles, access control, and supplier relationships
- A.6: People controls (8) – These deal with human resource security including screening, training, and incident reporting
- A.7: Physical controls (14) – They handle physical security perimeters, equipment protection, and secure disposal
- A.8: Technological controls (34) – These focus on technical aspects like access rights, malware protection, and vulnerability management
You must list each control with its official identifier and name from the standard. Teams usually present these controls in a spreadsheet format. This makes it easy for internal teams and external auditors to review them.
Inclusion/exclusion status and justification
Your SoA needs to clearly show whether each of the 93 controls is:
- Applicable (implemented)
- Not applicable (excluded)
Every decision needs proper justification. You should explain why you need to implement included controls. Link them to identified risks, business requirements, or regulatory obligations. For excluded controls, give clear reasons that match your risk assessment results.
Keep your justifications brief but detailed enough to show careful thought. Audit problems often come from poorly justified exclusions. Your reasoning must fit your business goals and risk assessments, as ISO 27001:2022 Clause 6.1 requires.
Implementation status and control owner
Your SoA should also document:
- Implementation status (fully implemented, partially implemented, or planned)
- Control owner (person or role responsible)
- Implementation date
- Last review date
This information shows auditors your progress toward full compliance and sets clear accountability in your organization. Tracking implementation status creates a roadmap for your ISMS development and points out areas you need to work on before certification audits.
References to supporting documentation
Your SoA should include references to supporting documentation for each control that applies. These references connect your SoA to other ISMS documents. ISO 27001 experts call this “a window into the organization’s ISMS”.
References might include:
- Policy documents
- Procedures and work instructions
- Risk assessment records
- Evidence of control implementation
These documentation links are a great way to get help during audits when auditors ask for evidence of control implementation. Auditors might lose confidence in your ISMS administration without proper references – this is why many organizations fail ISO 27001 audits.
A complete record system is vital to show compliance and prepare for certification audits. Organizations that use integrated ISMS platforms find it easier to manage documentation than those using separate documents. This reduces the risk of outdated or mismatched information.
Best Practices for Writing a Strong SoA
Creating an effective Statement of Applicability needs more than just checking boxes on a compliance form. A well-crafted SoA is the life-blood of your Information Security Management System (ISMS). You can create a document that satisfies ISO 27001 compliance requirements and becomes a valuable tool for your organization’s security program by doing this.
Use clear, concise justifications
Your statement of applicability ISO 27001 document must provide clear justifications for each control’s inclusion or exclusion. These justifications should be brief yet show that your senior leadership has really thought about your organization’s unique risks. Note that vague reasons like “we haven’t implemented it yet” or “it’s too expensive” don’t qualify as valid justifications for excluding a control.
Effective justifications should:
- Reference specific identified risks from your assessment
- Line up with your business context and regulatory requirements
- Be easily understood by auditors and stakeholders
- Stay traceable to your risk assessment and treatment decisions
Organizations often fail ISO 27001 audits because auditors can’t gain confidence in the ISMS due to poorly managed or missing documentation. Each justification must explain the logic behind your selection decisions clearly.
Line up controls with business objectives
Your SoA must line up with your organization’s strategic goals to deliver real value for ISO 27001 compliance. This ensures that security measures address identified risks and support your broader business objectives.
The ISO 27001 statement of applicability shows your organization’s risk appetite and compliance requirements. Strategic alignment can boost both security posture and operational efficiency. This approach reshapes the scene by turning your SoA from a mere compliance document into a strategic asset that shows how each security control adds to organizational success.
Your risk assessment and the aligned SoA provide clear evidence of your decision-making process and steadfast dedication to information security. Leadership commitment is the life-blood of effective SoA management, so the document should reflect resource allocation and support for your organization’s overall information security strategy.
Involve stakeholders across departments
An effective ISO statement of applicability needs input from multiple points of view across your organization. The SoA becomes more complete when key personnel participate from the start. You should identify important stakeholders who have a vested interest in the SoA and get their approval on relevant sections.
Stakeholder participation is significant for several reasons:
- It ensures the SoA lines up with diverse business needs
- It promotes a collaborative security environment
- It boosts the document’s relevance and effectiveness
- It supports finding potential challenges and opportunities
Organizations should aid open dialog, host shared workshops, and set up feedback mechanisms for stakeholders to provide ongoing input. The collaborative approach ensures that security measures address specific needs, even with the challenge of gathering diverse points of view, lining up with ISO 27001:2022 Clause 5.5.
Want to know if your SoA is audit-ready? Book a Readiness Call with our ISO 27001 experts who can review your documentation and provide targeted recommendations before your certification audit.
These best practices will help you create an ISO 27001 SoA that satisfies certification requirements and serves as a valuable tool for managing your organization’s information security program effectively.
Tools and Templates to Simplify SoA Creation
Image Source: Hyperproof
Creating a Statement of Applicability can be time-consuming when you don’t have the right tools. You’ll find several resources that make ISO 27001 compliance easier.
Using a statement of applicability ISO 27001 template
A good statement of applicability ISO 27001 template in XLS or PDF format helps you start building your SoA document. These templates keep formatting consistent and help you track all 93 Annex A controls that need evaluation. Templates are useful but they only support your actual implementation.
Templates won’t write your justifications or create your security narrative. Security experts warn that SoAs copied straight from templates don’t pass auditor reviews. You should use templates to save time while adding your organization’s specific security decisions.
A smart approach is to version your template for each audit cycle. You could add the year (like SoA_Template_2025) and keep old versions. This shows how your ISO statement of applicability has changed with time.
Automating SoA with GRC platforms
Governance, Risk, and Compliance (GRC) platforms lift ISO 27001 compliance by turning the SoA from a static document into a dynamic management tool. Platforms like Copla, ISMS.online, and Effivity have special modules that connect risks to Annex A controls in one place.
These platforms let organizations:
- Track implementation status quickly
- Document justifications within a structured framework
- Link controls to supporting evidence and documentation
- Generate audit-ready reports automatically
Automation cuts down administrative work during the ISO 27001 compliance audit cycle. These tools reduce manual effort and improve accuracy by streamlining documentation and reporting.
Benefits of integrated ISMS tools
Integrated Information Security Management System tools do more than just handle documentation. They create direct links between each control in your ISO 27001 SoA and real evidence—like policies, training records, and system settings.
These tools make team participation easier through shared workflows. Teams can give input across departments. Many platforms offer customizable dashboards that show control implementation status and compliance gaps instantly.
Organizations can move from planning to audit-ready documentation faster than manual methods. Structured workflows and expert guidance make the path to ISO 27001 compliance certification quicker.
Teams maintaining ongoing compliance will find these tools helpful. Version control and monitoring become simpler—everything in keeping your SoA ISO 27001 current works better in today’s changing risk landscape.
Keeping Your SoA Audit-Ready
Image Source: Hyperproof
The Statement of Applicability needs constant attention to work well – it’s not just a document you can file and forget. Your ISO 27001 compliance experience becomes smoother when you schedule and update your SoA systematically.
Review frequency and triggers
Your statement of applicability ISO 27001 needs a yearly review at minimum. Several key events should trigger an immediate review:
- Major business changes like expansion, mergers, or cloud migration
- Identification of new risks or changes to existing risk impact
- Incidents exposing control weaknesses
- Following internal or external audits that identify gaps
- Changes in organizational structure or operations
- New regulatory requirements or confidentiality clauses
The reviews work best when scheduled with your annual risk assessment. This practice helps you keep your security measures in step with new threats.
Aligning SoA with ISO 27001 compliance audit cycles
Certified organizations typically face surveillance audits each year during their three-year certification cycle. Your ISO 27001 SoA becomes crucial during these assessments when auditors check if your implemented controls match your SoA.
Auditors check whether you’ve properly implemented the controls. Between full certifications, they usually look at 50% of Annex A requirements each year. Regular updates to your ISO statement of applicability make these surveillance audits easier.
Maintaining traceability to risk assessments
Your SoA ISO 27001 decisions should link directly to your organization’s risk assessment. This connection lets you make risk-based decisions since each control traces back to specific identified risks.
Your organization should regularly check if the ISO 27001 statement of applicability still matches your risk landscape. Senior leaders need to review and approve SoA updates to show the document reflects company’s ISO 27001 compliance goals. Their support helps other departments understand why these initiatives matter.
Conclusion
The Statement of Applicability is the life-blood of ISO 27001 compliance. It does more than check a box in the certification process. This piece shows how a good SoA connects your risk assessment to security controls. Your organization’s unique risk profile shapes these security measures from abstract requirements into useful steps.
Smart organizations see their SoA as a living document instead of static paperwork. This approach gives them an edge during certification audits. Your business changes should reflect in your SoA as new threats and rules emerge. You need regular reviews, especially after big changes or security issues happen.
Clear and brief explanations for each control choice show careful thought about your security stance. Well-documented reasons give auditors faith in your ISMS management and cut certification risks. Companies that don’t deal very well with SoA preparation should Book a Readiness Call with ISO 27001 experts. These specialists can check documentation and suggest improvements before audits.
Getting stakeholders from all departments makes your SoA stronger. It helps arrange controls with business needs of all sizes while tackling known risks. The work to gather everyone’s input pays off. The final document offers a detailed view of your security approach that meets both compliance needs and business goals.
Your Statement of Applicability tells how your company handles information security. It reveals if your approach makes sense, focuses on risks, and meets what stakeholders expect. A well-laid-out, current SoA helps you not only get certified but also builds strong security foundations. These foundations protect your valuable information in today’s changing digital world.
Key Takeaways
The Statement of Applicability (SoA) is the mandatory bridge between risk assessment and security implementation in ISO 27001 compliance, serving as your roadmap to certification success.
• SoA is mandatory for certification – Without a properly prepared Statement of Applicability, organizations cannot achieve ISO 27001 certification as it’s explicitly required by clause 6.1.3.
• Links risks to controls systematically – The SoA creates direct traceability between identified risks and the 93 Annex A controls, ensuring security measures address actual threats.
• Requires clear justifications for all decisions – Every control inclusion or exclusion must be documented with specific rationale referencing risks, business context, or regulatory requirements.
• Must involve cross-departmental stakeholders – Effective SoAs require input from multiple perspectives to ensure controls align with diverse business needs and operational realities.
• Needs regular reviews and updates – The SoA should be reviewed annually and updated after major business changes, incidents, or new risk identifications to remain audit-ready.
A well-maintained SoA transforms from a compliance document into a strategic security asset that demonstrates your organization’s thoughtful, risk-based approach to information security management.
FAQs
Q1. What is the Statement of Applicability (SoA) in ISO 27001? The Statement of Applicability is a mandatory document for ISO 27001 certification that links risk assessment to security control implementation. It lists all 93 Annex A controls, indicating which are applicable to the organization and providing justifications for inclusions and exclusions.
Q2. How often should the SoA be reviewed? The SoA should be reviewed at least annually. However, it should also be updated after major business changes, identification of new risks, security incidents, or following internal/external audits that identify gaps in controls.
Q3. What are the key components to include in an ISO 27001 SoA? A comprehensive SoA should include a list of all 93 Annex A controls, their inclusion/exclusion status with justifications, implementation status, control owners, and references to supporting documentation.
Q4. How does the SoA connect to risk assessment? The SoA directly links identified risks to specific security controls. Each control in the SoA should trace back to risks identified in the assessment, creating a clear connection between what could go wrong and what’s being done to prevent it.
Q5. What are some best practices for creating an effective SoA? Best practices include using clear and concise justifications, aligning controls with business objectives, involving stakeholders from various departments, and utilizing templates or GRC platforms to streamline the creation process. Regular reviews and updates are also crucial to keep the SoA audit-ready.