Statement of Applicability (SoA)

What is a statement of applicability? 

A Statement of Applicability is a document used in information security management that outlines the applicable control objectives and controls for an organization. It is typically created as part of an Information Security Management System (ISMS) to identify which specific standards, laws, regulations, and best practices should be implemented within the business. The statement also includes any additional measures needed to meet organizational goals or requirements.

What is an ISO 27001 statement of applicability? 

An ISO 27001 SoA is a document that outlines the security controls and processes an organization has implemented to protect its information assets. It includes a detailed description of the scope, objectives, risk assessment methodology, and control selection criteria used by the organization. The statement also describes how each security control is applied in relation to specific risks identified within their environment. Finally, the statement explains which controls are applicable for each risk and why they were selected.

Steps on how to Create Your Statement of Applicability

1. Identify the scope of your ISO 27001 compliance project 

Determine what areas and activities need to be covered by the implementation of an ISMS. Consider factors such as data security, physical security, access control, and disaster recovery.

2. Research applicable requirements 

Research relevant standards, regulations, laws, and other requirements that apply to your organization in relation to information security management systems (ISMS). This will help you identify which controls are necessary for your particular environment. 

3. Develop a risk assessment plan 

Conduct a risk assessment to identify any potential risks related to ISMS implementation within your organization’s scope of operations. Use this information when selecting appropriate controls for the ISMS framework. 

4. Develop a control framework 

Based on the results of your risk assessment and research, develop an ISMS control framework that meets the applicable standards, regulations, laws and other requirements for information security management systems in your organization’s scope of operations.

5. Create a Statement of Applicability (SOA)

Use the information from steps 1-4 to create an SOA document that outlines all relevant controls that have been implemented or are planned to be implemented within the ISMS framework. The SOA should include details such as objectives, scope, and justification for each control as well as any alternative measures considered but not selected. 

6. Review and update regularly 

Regularly review and update the SOA document to ensure it is up-to-date and accurately reflects the current state of the ISMS framework. This will help ensure that your organization remains compliant with applicable standards, regulations, laws, and other requirements governing information security management systems.

ISO 27001 Statement of Applicability template

  1. Introduction – description of purpose and scope; 
  2. Relevant policies and procedures; 
  3. Risk assessment results; 
  4. Listing of applicable security controls; 
  5. Explanation of how the controls are implemented and monitored; 
  6. Justification for any excluded security controls; 
  7. Signature of responsible parties.


Example of a Statement of Applicability

Organization Name: ABC Company

Date of Statement: 1/1/2021

The following is the Statement of Applicability for ABC Company. This statement outlines our commitment to ensuring that we are compliant with the requirements outlined in ISO 27001 and meeting all applicable regulations and standards related to information security. 

ABC Company has identified that the following controls from Annex A of ISO 27001 are applicable and relevant to our organization’s operations, processes, services, products, systems, and data processing activities:

A.5.1 Physical Security

A.6 Operational Procedures & Responsibilities 

A.7 Access Control

A.9 Organizational Security

B Asset Management

C Human Resources Security

D System Acquisition, Development and Maintenance

E Protection from Malicious and Mobile Code

F Information Backup & Storage

G Security Incident Management

H Business Continuity Management.

ABC Company has also identified that additional controls to supplement the ISO 27001 Annex A requirements are needed in order to adequately protect our systems, data and information assets: 

1. Network Segmentation and Access Policies: To ensure appropriate access control of our networks, ABC Company has implemented network segmentation policies as well as specific user access policies for different areas of our network infrastructure. 

2. Data Encryption: We have implemented encryption protocols on all data stored on mobile devices as well as sensitive data stored in databases or transmitted over networks. 

3. Multi-factor Authentication: ABC Company has implemented multi-factor authentication for all user accounts, requiring users to provide a combination of something they know (e.g. password) and something they have (e.g. mobile device). 

4. Vulnerability Management: We have implemented vulnerability scanning processes to identify potential security weaknesses in our systems, networks and applications on an ongoing basis and take appropriate actions to address them in a timely manner. 

5. Information Security Awareness Training: ABC Company provides regular information security awareness training for all employees as part of our commitment to ensuring that everyone is aware of the importance of protecting sensitive data and following best practices when it comes to information security management. 

ABC Company is committed to continuously assessing its compliance with ISO 27001 and other applicable regulations and standards, as well as periodically reviewing the effectiveness of our security controls.