The ISO 27001 Statement of Applicability documents the information security controls that apply to your business and is a key document in the information security management system (ISMS). It is one of the first documents and auditor will normally ask for. As a minimum it lists all of the ISO 27001 Annex A controls and records if they apply to your business or not. If not, it will record why not.
In this ultimate guide I show you everything you need to know about the ISO 27001 Statement of Applicability (SoA) .
You will learn
- What is an ISO 27001 Statement of Applicability?
- How to write an ISO 27001 Statement of Applicability
Table of contents
What is an ISO 27001 Statement of Applicability?
The Statement of Applicability (SoA) is the list of information security controls that you are applying into your organisation.
That Statement of Applicability is a mandatory document required for ISO 27001 certification.
Purpose
The purpose of the ISO 27001 Statement of Applicability is to be able to communicate to auditors, staff and third parties, which of the ISO 27001 Annex A controls your organisation has applied.
As all the ISO 27001 Annex A controls are not mandatory it helps people to understand the controls that you have applied to support your ISO 27001 certification.
It is possible for people to be ISO 27001 certified with very few Annex A controls and as such the Statement of Applicability document is the second most requested document after the actual ISO 27001 certificate.
Definition
The ISO 27001 Statement Of Applicability is defined in ISO 27001:2022 in clause 6.1.3 Information Security Risk Treatment as:
produce a Statement of Applicability that contains:
— the necessary controls
— justification for their inclusion;
— whether the necessary controls are implemented or not; and
— the justification for excluding any of the Annex A controls
ISO27001:2022 Clause 6.1.3 d
ISO 27001 Statement of Applicability 2022
The ISO 27001 Standard changed in 2022 and with it the list of controls changed.
You can find all of the ISO 27001 Statement of Applicability 2022 controls in the ISO27001:2022 Annex A Controls Reference Guide.
To see what has change, what is new, what was removed and what changed you can read the The Complete Guide to Changes to the ISO 27002 Standard .
What that means is that when you go for your ISO 27001 certification you should speak to the certification body and clarify with them which control set, ie which version of the ISO 27002 standard or list of controls, they are going audit and certify you against.
DO IT YOURSELF ISO 27001
STOP SPANKING £10,000s on CONSULTANTS and ISMS ONLINE PLATFORMS
Implementation Guide
Why you need an ISO 27001 Statement of Applicability
The Statement of Applicability is a document that you’re often, in fact nearly always, asked for.
You are going to be asked for it by the auditors, you are going to be asked for it by third parties such as your clients and potential clients.
In fact, anybody looking at your information security management system will want to know what the statement of applicability is.
The Statement of Applicability (SoA) is important because it lists out the controls that your organisation has implemented for information security.
What people want to know is what is the scope of your ISO 27001 certification, in other words what does the certificate cover, and what are the information security controls that you have implemented to protect it.
When it comes time to perform the ISO 27001 the certification body is going to ask for the SoA so that they know what they are auditing.,
ISO 27001 Controls
Information security controls are controls that mitigate information security risks.
Information security is about the confidentiality, integrity and availability of data.
ISO 27001 includes an Annex A which is a list of common information security controls for you to consider.
ISO 27001 Annex A is based on the ISO 27002:2022 standard which sets out the information security controls with a detailed implementation guidance.
The list of controls is taken directly from ISO 27001 Annex A which is also a standard called ISO 27002.
You can read the difference between ISO 27001 and ISO 27001 and also see a list of all the ISO 27001 controls.
How do you decide what controls to include in a Statement of Applicability (SoA)?
You decide on the controls to include in the Statement of Applicability (SoA) in a number of different ways.
The main approach to identifying the controls that you need is:
- Define the scope of your information security management system (ISMS)
- Conduct a risk assessment to identify information security risks
- Choose controls from ISO 27001 Annex A that mitigate those risks.
As a minimum that list of controls is going to include the Annex A Controls . That forms the bare minimum part of the ISO 27001 certification. And to be fair is often enough.
Of course, there may be additional controls that you’re going to record as well that you are implementing either from other standards or from your direct requests from your customers.
These requirements would be captured on your legal and contractual register and the actual controls would be record in your Statement of Applicability (SoA).
As a basic requirement we are going to make a start and we are going to make include the Annex A / ISO 27002 controls and list them.
The list of Annex A / ISO 27002 controls is going to be used many times.
What if the Statement of Applicability (SoA) controls don’t apply?
It is very possible that the list of controls provided by ISO 27001 Annex / ISO 27002 includes controls that do not apply to your organisation.
So what should you do? Implement them anyway to pass the ISO 27001 certification?
No.
The approach that you take is record in the Statement of Applicability (SoA) that the controls do apply to you and you state the reason that they do not apply.
If you do not have physical premises and remote work then it is highly possible that the Physical Security Controls that apply to data processing facilities will not apply to you. If you do not do software development then the software development controls do not apply to you.
Have a complete list but show and record the controls that are not applicable stating the reason why.
As a top tip it would be my recommendation to record all of the out of scope controls on the risk register and manage them through the risk management process which includes accepting the risk and documenting the decision as evidence.
How to write an ISO 27001 Statement of Applicability
Time needed: 1 hour
How to write an ISO 27001 Statement of Applicability (SoA)
- Buy a copy of the standard ISO 27002:2022
Most people would make a start by buying a copy of the standard. You should always buy a copy of the standard. Then you would work through the standard of ISO 27002, and laboriously copy and paste the controls into a spreadsheet.
The standard is not set out in a way to make this easy for you. It will take you a long time if you do it yourself. It can be a massive time sink. I see people always start at this point and then pretty much get to the end of this step, realise the time involved and then look to get help. - Create your Microsoft Excel Spreadsheet
Create a Microsoft Excel Spreadsheet and add columns for the ISO 27002 Clause, Title, Control Objective, The reason the control is required, whether the control is applicable, the date it was last assessed and if it is not applicable the reason why.
- Add each ISO 27002 control as a row in the Statement of Applicability Spreadsheet
You are going to take the clause and the title directly from the standard and you are going to take the control objective directly out of Annex A / ISO 27002 and you are going to copy and paste that into the spreadsheet.
- Document the reason why the control applies to you
Then you are going to look at the drivers that you have considered in implementing the control. You will want to say that you have implemented it because the standard says you have to, which is factually correct, but is not what the auditor for ISO 27001 certification wants to hear. Whether true or not, you want to be able to say why you implemented the control, so we are going to record for simplicity the main reasons of
Contract Reason
Legal Reason
Risk Reason
Business Reason - Record which controls do not apply to you
It may well be that there is no reason for a particular control, which is perfectly fine. You are still going to record it the Statement of Applicability, but you are going to record that it is not in-scope, i.e., it does not apply, and the reason that it does not apply to you.
At certification the auditor wants to see why you think a particular control doesn’t apply to you. It is rare that controls don’t apply to people as it’s an international standard and it covers across the board, but it does happen that controls don’t apply.
Consider if you do not secure software development then that section does not apply. If you are fully remote, then many of the controls on physical security would not apply.
You just record and state the reason. Now you don’t have to worry about them. - Regularly review the applicability of the controls
The applicability of controls needs to be reviewed regularly, well at least once a year and clearly before you take the certification audit.
You are therefore going record on here the date that each control was last assessed when you last did a review of whether or not that control was in scope or was not in scope.
For good document mark-up you will have version control on your document that shows when the main review took place.
Anyone looking is going to come and look and say – I want to see a date in here that is some point within the last 12 months.
This shows this document is fresh and you’ve recently gone through that review. - Keep meeting minutes of the ISO 27001 control review
Now a top tip is that you would always have minutes for meetings where you had recorded that this had been signed off and approved by the management review meeting, so you want to tie those two together.
How to create and use an ISO 27001 Statement of Applicability: Video Guide
ISO 27001 Statement of Applicability Template
The ISO 27001 Statement of Applicability template used in this guide is available to download. This is an ISO 27001 statement of applicability excel worksheet that is fully populated with all of the required controls and fully meets the requirements for ISO 27001 certification.
ISO 27001 Statement of Applicability Example
The Statement of Applicability example is what a Statement of Applicability would look like for ISO 27001.
This statement of applicability ISO 27001 example is taken directly from the High Table ISO 27001 Statement of Applicability Template.
For a more detailed ISO 27011 statement of applicability example the ISO 27001 Statement of Applicability PDF shows what is required for ISO 27001 certification.
ISO 27001 Statement of Applicability FAQ
It is the document that lists the ISO 27001 Annex A business controls and records if they apply to you or not. It can also record any additional controls that your business has implemented, for example those imposed by customers. It states why the control applies to your business and if it does not apply, why it does not apply.
List out the ISO 27001 Annex Controls in a table. Add columns for whether it applies to you or not. Add columns for why it applies such as business, legal, risk, customer. Add a column for why it doesn’t apply for those controls that do not that is used to explain why it does not apply. Include columns for last reviewed date and next review date. Consider including a brief description of the control you have implemented to satisfy the requirement. You can view in this short tutorial.
It is another name for the statement of applicability document, the ISO 27001 Statement of Applicability (SoA).
An ISO 27001 Statement of Applicability template can be downloaded from High Table: The ISO 27001 Company.
The ISO 27001 Statement of Applicability PDF is a detailed PDF that shows you exactly what is required for ISO 27001 certification. It is a free PDF download.
In our experience an excel spreadsheet works best, so a Statement of Applicability xls.
Yes. The it is a requirement of ISO 27001 certification. We need to understand what controls the business has chosen to implement as part of its information security management framework.
You make a statement of applicability by creating a spreadsheet and listing out the controls that are defined in ISO 27001 and then recording if they are applicable to you or not. If they are not you record the reason why they are not.
No. The statement of applicability is not confidential. It is a list of the controls you have implemented and may well be requested by customers and clients.
It should take about a day to create a statement of applicability from scratch. The main time sink is in copying and pasting from the standard and then putting in the correct and required columns. Then completing the document.
The owner of the statement of applicability will be decided by the business but it is good practice to assign it to a member of the board or senior leadership team as it has a direct impact on the business.
It will be shared with auditors for ISO 27001 certification. It can be requested by clients and customers.
You share the statement of applicability with anyone that asks for it and that you want to share it with.
It would be recommended and best practice to put your ISO 27001 certification on your website and make the statement of applicability available on request.
You would not remove controls from the statement of applicability but if they do not apply to you you would record that they are not applicable and state the reason why. This approach shows that you considered it, understood it, assessed it and deemed in was not applicable rather than did not know about it or forgot to include it.
Yes. You can add as many controls as are appropriate to your organisation as long as you have the ISO 27001 Annex A controls listed as a minimum.
If they do not apply to you you would record that they are not applicable and state the reason why. This approach shows that you considered it, understood it, assessed it and deemed in was not applicable rather than did not know about it or forgot to include it.
Yes. It is the list of controls you have implemented and the auditor will need to know what to audit.
SoA means Statement of Applicability.
To communicate the information security controls that you have implemented. This will provide a level of assurance that the controls you have meet the needs and demands of your clients and customers.
It is a good practice to have both versions of the Statement Of Applicability.
At the moment certification bodies are still providing ISO 27001 certification against the ISO 27002:2013 ( the old version ) as they are not trained and geared up to certify against ISO 27002:2022.
This is why it is important to check with the certification body.
Having both versions of the Statement of Applicability (SoA) has a number of benefits:
It will make you more secure as you will have a super set of all the information security controls
It will future proof you for when the ISO 27001 Certification moves to certify against the new control set
It will allow you to plan your migration to, and implementation of, the new controls
