Statement of Applicability

What an statement of applicability contains, how to write it and a downloadable template.

Estimated reading time: 3 minutes

What is it?

The statement of applicability is the list of controls that you are implementing in your organisation. It includes the controls you are not implementing along with a justification why not if appropriate. It is based on ANNEX A/ ISO 27002 and can include additional controls such as those imposed by customers.

The Statement of Applicability forms part of the ISO 27001 document pack.

Statement of Applicability template for ISO 27001. An ISO 27001 template.

How to create and use Statement of Applicability Tutorial

In this short tutorial we show you how.


What is the Statement of Applicability?

It is the document that lists the ISO 27001 Annex A business controls and records if they apply to you or not. It can also record any additional controls that your business has implemented, for example those imposed by customers. It states why the control applies to your business and if it does not apply, why it does not apply.

How do you write a statement of applicability?

List out the ISO 27001 Annex Controls in a table. Add columns for whether it applies to you or not. Add columns for why it applies such as business, legal, risk, customer. Add a column for why it doesn’t apply for those controls that do not that is used to explain why it does not apply. Include columns for last reviewed date and next review date. Consider including a brief description of the control you have implemented to satisfy the requirement. You can view in this short tutorial.

What is an SoA document?

It is another name for the Statement of Applicability document.

Where can I download a statement of applicability template?

A statement of applicability document template can be downloaded here:

What is the best format for a Statement of Applicability?

In our experience a spreadsheet works best, so a Statement of Applicability xls

Is the Statement of Applicability required for ISO 27001 certification?

Yes. The it is a requirement of ISO 27001 certification.

Shopping Cart