What is the Statement of Applicability in ISO/IEC 27001?

The Statement of Applicability (SoA) is one of the most important documents that must be developed when implementing an Information Security Management System (ISMS) based on ISO/IEC 27001. More than just a requirement of the standard, the SoA is a fundamental document that outlines how security controls are selected, implemented, and maintained within an organization.

What is the Statement of Applicability?

The SoA is an official document that:

• Lists all controls from Annex A of ISO/IEC 27001 (93 controls organized into four categories).
• Specifies whether each control is applicable or not applicable to the organization.
• Explains the inclusion or exclusion of controls.
• States the implementation status of applicable controls.

Primarily, the SoA serves as a link between the organization’s risk assessment and the security measures implemented to address those risks.

Why is the Statement of Applicability Important?

1. Shows Risk-Based Decision-Making
   It demonstrates that controls are selected based on a structured risk assessment and the organization’s unique context, rather than randomly.
2. Encourages Transparency and Accountability
   The SoA explains why certain controls are in place and others are excluded, providing stakeholders with visibility into the organization’s approach to information security.
3. Supports Certification and Audits
   As one of the first documents that auditors request, the SoA helps verify compliance with ISO/IEC 27001 and confirms that the ISMS is correctly designed.
4. Acts as a Useful Reference
   The SoA is a very useful reference document for management, employees, and external partners to understand the organization’s security framework.

A Practical Example

Suppose an organization does not perform its own software development. While Annex A contains controls for secure software development, the SoA would mark these as “not applicable” with a justification such as: “No in-house software development activities; only third-party solutions are used.”

In contrast, controls for access control or encryption would almost certainly be marked as applicable, with information provided on how they are implemented and monitored.

Challenges in Developing the Statement of Applicability

Although the SoA is a critical component of ISO/IEC 27001, many organizations struggle to create a proper document and maintain it. Difficulties often arise from misinterpreting control requirements, using unclear or overly generic justifications, or failing to update the document as risks and circumstances change. Another common problem is ensuring that the SoA supports both compliance obligations and business objectives, rather than being treated as a simple checklist. Overcoming these challenges requires a solid understanding of ISO/IEC 27001, a well-defined risk management approach, and active commitment from key stakeholders across the organization.

Tips for Developing an Effective Statement of Applicability

• Base it on Risk Assessment: Make sure that the SoA accurately reflects real risks and the selected risk treatments.
• Be Clear and Context-Specific: Explanations should directly relate to your organization’s situations.
• Keep it Current: Continually check and, when needed, update the SoA as risks, technologies, or processes evolve.
• Use Beyond Compliance: Treat the SoA as a management resource, not just a certification document.

Conclusion

The SoA is not simply paperwork required by ISO/IEC 27001. It is a strategic tool that demonstrates how an organization adapts global best practices to its own needs. By directly linking risks to selected controls, the SoA ensures the ISMS remains both effective and relevant, eventually strengthening trust with auditors, customers, and stakeholders.

How Can PECB Help You in Implementing a Strong Statement of Applicability

PECB offers a range of training and certification programs in the field of information security, designed to equip professionals and organizations with the knowledge and skills required to implement effective practices. Through these programs, you will gain the expertise needed to apply ISO/IEC 27001 successfully and to develop a clear, well-structured SoA that aligns with your organization’s context and risk environment.

Below are some of the key training courses offered by PECB that can support you and your organization in strengthening the implementation of ISO/IEC 27001 and creating a strong SoA:

• ISO/IEC 27001 Foundation
• ISO/IEC 27001 Lead Implementer
• ISO/IEC 27001 Lead Auditor
• ISO/IEC 27001 Transition

About the Author

Vesa Hyseni is a Senior Content and Campaigns Specialist at PECB. She is responsible for creating up-to-date content, conducting market research, and providing insights about ISO standards. For any questions, feel free to reach out to her at support@pecb.com.