Statement of Applicability
What an statement of applicability contains, how to write it and a downloadable template.
Estimated reading time: 3 minutes
What is it?
The statement of applicability is the list of controls that you are implementing in your organisation. It includes the controls you are not implementing along with a justification why not if appropriate. It is based on ANNEX A/ ISO 27002 and can include additional controls such as those imposed by customers.
The Statement of Applicability forms part of the ISO 27001 document pack.
How to create and use Statement of Applicability Tutorial
In this short tutorial we show you how.
It is the document that lists the ISO 27001 Annex A business controls and records if they apply to you or not. It can also record any additional controls that your business has implemented, for example those imposed by customers. It states why the control applies to your business and if it does not apply, why it does not apply.
List out the ISO 27001 Annex Controls in a table. Add columns for whether it applies to you or not. Add columns for why it applies such as business, legal, risk, customer. Add a column for why it doesn’t apply for those controls that do not that is used to explain why it does not apply. Include columns for last reviewed date and next review date. Consider including a brief description of the control you have implemented to satisfy the requirement. You can view in this short tutorial.
It is another name for the Statement of Applicability document.
A statement of applicability document template can be downloaded here: https://hightable.io/product/statement-of-applicability/
In our experience a spreadsheet works best, so a Statement of Applicability xls
Yes. The it is a requirement of ISO 27001 certification.