ISO 27001 Statement of Applicability

Every organisation handling sensitive data needs a clear way to show how it protects that information. That’s where the ISO 27001 Statement of Applicability comes in. It's not just paperwork; It’s a smart, structured record of your chosen security controls and the reasons behind them.

Whether you're preparing for certification or simply enhancing your ISMS, the ISO 27001 Statement of Applicability is a must-have. It helps you stay compliant, clearly communicate your risk decisions, and prove you're serious about information security. In this blog, we’ll breakdown how it works and why it’s such a vital part of the ISO 27001 journey.

Table of Contents

1) What is the ISO 27001 Statement of Applicability?

2) Why is the ISO 27001 Statement of Applicability Important?

3) ISO 27001 Control List and Its Applications

4) Steps to Write a Statement of Applicability (SoA)

5) What Documents are Required by the Certification Bodies for ISO 27001 SOA?

6) Can I Remove Controls from the ISO 27001 Statement of Applicability?

7) Conclusion

What is the ISO 27001 Statement of Applicability?

The ISO 27001 Statement of Applicability (SOA) is a crucial document that details all the security controls listed in Annex A of the ISO 27001 Standard. It specifies which controls your organisation has chosen to implement and which ones have been excluded, providing clear justifications for each decision.

This document is a core component of your Information Security Management System (ISMS). It offers a comprehensive overview of how each selected control addresses specific information security risks and how it is implemented, making it essential for demonstrating compliance and maintaining security transparency.

Why is the ISO 27001 Statement of Applicability important?

The ISO 27001 Statement of Applicability is crucial because it connects your risk assessment to the specific controls your organisation employs. It ensures that your information security measures are relevant and well-documented.

Key Reasons Why the ISO 27001 SoA is Important:

a) Demonstrates Compliance: Serves as formal evidence during audits to show alignment with ISO 27001 requirements.

b) Links Risks to Controls: Clearly connects identified risks with the selected Annex A controls.

c) Provides Justification: Explains why each control is included or excluded, supporting transparency.

d) Supports Audits and Reviews: Facilitates easier and more effective internal and external assessments.

e) Clarifies Implementation: Shows the current status of each control implemented, planned, or not applicable.

f) Assigns Accountability: Identifies responsible individuals or teams for each control.

g) Aligns with Business Needs: Ensures controls reflect your organisation’s unique risk environment.

h) Improves Governance: Enhances visibility and informed decision-making within the ISMS framework.

Take control of your organisation's Information security with our ISO 27001 Internal Auditor Course - register now!

ISO 27001 Control List and Its Applications

Within ISO 27001, there is a set of controls, specifically in Annex A, that organisations can use to address various Information security risks. These controls are divided into 14 categories, each addressing a different aspect of information security. Here is a list of controls in ISO 27001 along, with their general uses:

1) Information Security Policies (A.5): Defines and communicates information security policies and objectives.

2) Organisation of Information Security (A.6): Establishes roles and responsibilities to maintain information security within the organisation.

3) Human Resource Security (A.7): Ensures employees and contractors are aware of and compliant with security policies.

4)Asset Management (A.8): Identifies, classifies, and manages information assets effectively.

5)Access Control (A.9): Controls access to information systems and data, ensuring authorised access and preventing unauthorised access.

6)Cryptography (A.10): Protects sensitive information through encryption and cryptographic controls.

7)Physical and Environmental Security (A.11): Secures physical facilities and equipment to prevent unauthorised access, damage, or interference.

8)Operations Security (A.12): Ensures the secure operation of information systems and data.

9)Communications Security (A.13): Protects the confidentiality and integrity of data during transmission.

10)System Acquisition, Development, and Maintenance (A.14): Integrates security into the Software Development Lifecycle and procurement processes.

11)Supplier Relationships (A.15): Ensures that suppliers and third-party partners meet Information security requirements.

12)Information Security Incident Management (A.16): Establishes an incident response plan to properly address security breaches and incidents.

13)Information Security Continuity (A.17): Develops and maintains business continuity and disaster recovery plans.

14)Compliance (A.18): Ensures compliance with legal, regulatory, and contractual requirements concerned with Information security.

Want to gain the expertise to lead and conduct a successful ISO 27001 audit? Sign up for our ISO 27001 Lead Auditor Course today!

Steps to Write a Statement of Applicability (SoA)

Now that we have discussed what a Statement of Applicability is, why it is essential and what it should include, we will now discuss the steps to write one.

1) Understand the Requirements

The first step to writing an effective ISO 27001 Statement of Applicability is understanding the requirements that can be overwhelming if one is new to ISO 27001 Checklist or Information security standards in general. Nevertheless, a comprehensive understanding of these requirements will help ensure that your Statement of Applicability is accurate and complete.

2) Conduct a Risk Assessment

You must conduct a risk assessment before you begin writing an ISO 27001 Statement of Applicability. This step aims to evaluate and assess the Information Security risks that could pose a threat or loss to your organisation. If you have already completed a risk assessment, you can use that information as a starting point.

3) Determine your Risk Management Strategy

This step is where you should define your Risk Management strategy, identify your security risks, and define what you need to implement to manage those risks effectively. For instance, an organisation may implement an encryption solution to secure sensitive data. Once you define all the parts of your Risk Management strategy’s parts, you will have a clearer picture of the controls that will be best suited to address every component within your organisation's Information Technology system.

4) Select the Relevant Security Controls

Every organisation is different, meaning that it has its unique set of risks to which it is most vulnerable. This, in turn, means that every organisation will have a unique set of controls that it will have to adopt to strengthen its ISO 27001 Physical Security against potential risks.

For instance, if you run a large manufacturing business with multiple warehouses where inventory is always being shipped out or returned to storage, the physical access controls could be a part of your ISO 27001 Statement of Applicability. However, other companies may find that they do not face many physical security risks and that another set of controls is at the top of their priority list.

5) Complete the Statement of Applicability

At this point of the process, you have everything you need to put your Statement of Applicability together. If you have chosen to exclude an Annex A control from your Statement of Applicability, providing an appropriate justification for your decision is essential. You should also include the risks considered and determined not to be a high-priority risk for your organisation. If possible, explain why a particular risk was deemed unfit for inclusion in your Statement of Applicability.

You must also document the reason for including the Annex A controls mentioned in your statement. Typically, the reason for including the Annex A controls is because the controls were determined to be necessary for mitigating a specific Information security risk for a company.

6) Plan Annual Updates

Planning annual updates for the Statement of Applicability is important to ensure it remains accurate and aligned with your organisation's evolving needs. As business operations, regulatory requirements, and risk profiles change over time, regular reviews become crucial.

These updates help confirm that selected controls remain relevant, ownership is current, and all changes are properly documented. Additionally, they support smoother ISO 27001 requirements, surveillance audits and re-certification processes.

Want to elevate your organisation's Cyber Security practices? Register for our industry-leading ISO 27001 Internal Auditor Course - today!

What Documents are Required by the Certification Bodies for ISO 27001 SOA?

Certification bodies require the ISO 27001 Statement of Applicability (SoA). They also require the organisation’s risk assessment and risk treatment plan. In addition, supporting documentation must justify control selections, exclusions, and the current implementation status of each Annex A control.

Can I Remove Controls from the ISO 27001 Statement of Applicability?

Yes, you can exclude controls from the ISO 27001 Statement of Applicability, but only if they are justifiably not applicable based on your organisation’s risk assessment, legal, regulatory, or contractual requirements. Each exclusion must be clearly documented and explained in the SoA.

Conclusion

A well-presented and easy-to-understand about What is ISO 27001 Statement of Applicability shows the relationship between the relevant and implemented Annex A controls given the risks and information assets in the Scope. It assures an Auditor or any other interested party that an organisation is taking its Information security Management seriously, especially if it is all joined into a holistic information security Management System.

Take the first step towards securing your organisation's information with our comprehensive ISO 27001 Foundation Course.