The ISO 27001 Statement of Applicability documents the information security controls that apply to your business and is a key document in the information security management system (ISMS). It is one of the first documents and auditor will normally ask for. As a minimum it lists all of the ISO 27001 Annex A controls and records if they apply to your business or not. If not, it will record why not.
Table of contents
- What Is It?
- Applicability to Small Businesses, Tech Startups, and AI Companies
- ISO 27001 Statement of Applicability Template
- Why You Need It
- When You Need It
- Who Needs It?
- Where You Need It
- How to Write It
- How to Implement It
- Examples of using it for small businesses
- Examples of using it for tech startups
- Examples of using it for AI companies
- How the ISO 27001 Toolkit Can Help
- Information Security Standards That Need It
- List of Relevant ISO 27001:2022 Controls
- How do you decide what controls to include in a Statement of Applicability (SoA)?
- What if the Statement of Applicability (SoA) controls don’t apply?
- ISO 27001 Statement of Applicability Example
- ISO 27001 Statement of Applicability FAQ
What Is It?
A Statement of Applicability, or SoA, is basically a checklist for your company’s information security. When you want to get ISO 27001 certified, you have to show that you’re protecting your data. The SoA is where you list all the security controls you’ve chosen to use. You’ll also explain why you picked those and why you left others out. It’s your way of saying, “Here’s what we do to stay secure, and here’s why.”
Applicability to Small Businesses, Tech Startups, and AI Companies
Whether you’re a small business, a new tech startup, or an AI company, the SoA is a must-have. Here’s a quick look at why it’s so important for each:
- Small Businesses: You need to prove you’re trustworthy to bigger clients. The SoA shows them you take security seriously.
- Tech Startups: You’re all about innovation, but you handle a lot of user data. The SoA helps you build trust and manage risks from the very beginning.
- AI Companies: You work with huge amounts of data, which can be sensitive. The SoA is crucial for protecting that data and showing you’re a responsible company.
ISO 27001 Statement of Applicability Template
The ISO 27001:2022 Statement of Applicability Template used in this guide is available to download. This is an ISO 27001 statement of applicability excel worksheet that is fully populated with all of the required controls and fully meets the requirements for ISO 27001 certification.
Why You Need It
You need the SoA because it’s a key part of the ISO 27001 certification process. It helps you:
- Document your decisions: It’s a record of why you chose certain security measures.
- Show compliance: It proves to an auditor that you’re meeting the standard’s requirements.
- Manage risk: It forces you to think about what data you have and how to protect it.
When You Need It
You need to create the SoA after you’ve completed a risk assessment. This is a process where you figure out what your biggest security risks are. Once you know what you need to protect against, you can then decide which security controls from the ISO 27001 standard you’ll use. The SoA is the final document that brings it all together.
Who Needs It?
Any organisation that wants to get ISO 27001 certified needs a Statement of Applicability. It’s not just for big corporations; small and medium-sized businesses need it, too. Basically, if you want to prove your commitment to information security, you’ll need an SoA.
Where You Need It
The SoA is an internal document. You’ll keep it with your other ISO 27001 papers. It’s a living document, meaning you’ll update it as your business changes. When an auditor comes to check your security, the SoA is one of the first things they’ll want to see.
How to Write It
Writing an SoA is easy if you follow these steps:
- List all the controls: Start with a list of all 93 controls from ISO 27001:2022.
- Decide on each control: Go through the list and decide if you’ll use each one.
- Justify your choices: For each control you’re using, explain how you’ll implement it. If you’re not using one, explain why it doesn’t apply to your business.
- Get it approved: Make sure a senior manager signs off on the document to show their support.
Follow this simple step-by-step guide to create your ISO 27001 Statement of Applicability.
1. Buy a copy of the ISO27002:2022 standard
Whilst the controls are listed in ISO 27001 Annex A the actual implementation guidance is include in ISO 27002.
Most people would make a start by buying a copy of the standard.
You should always buy a copy of the standard.
Then you would work through the standard of ISO 27002, and laboriously copy and paste the controls into a spreadsheet.
The standard is not set out in a way to make this easy for you. It will take you a long time if you do it yourself.
It can be a massive time sink.
I see people always start at this point and then pretty much get to the end of this step, realise the time involved and then look to get help such as the ISO 27001 Statement of Applicability Template that has done all the hard work for you.
2. Create your Microsoft Excel Spreadsheet
Create a Microsoft Excel Spreadsheet and add columns for the ISO 27001 Annex A Control, Title, Control Objective, The reason the control is required, whether the control is applicable, the date it was last assessed and if it is not applicable the reason why. This is the basic structure.
3. Add each ISO 27002 control as a row in the Statement of Applicability Spreadsheet
You are going to take the ISO 27001 Annex A Control number and the title directly from the standard and you are going to take the control objective and you are going to copy and paste that into the spreadsheet.
4. Document the reason why the control applies to you
Then you are going to look at the drivers that you have considered in implementing the control.
You will NOT want to say that you have implemented it because the standard says you have to, which is factually correct, but is not what the auditor for ISO 27001 certification wants to hear.
Whether true or not, you want to be able to say why you implemented the control, so we are going to record for simplicity the main reasons of
- Contract Reason
- Legal Reason
- Risk Reason
- Business Reason
5. Document which controls do not apply to you
It may well be that there are ISO 27001 Annex A controls that you do not need. This is perfectly fine.
Reasons for controls not applying to you can include that you do not have risks that they mitigate or they reference something you simply do not have, such as physical premises.
You are still going to record the control in the statement of applicability but you are going to record that it is not in-scope. In other words, it does not apply to you. In addition you will record the reason that it does not apply to you.
At your ISO 27001 certification the auditor wants to see why you think a particular control doesn’t apply to you.
It is rare that controls don’t apply to people as it’s an international standard and it covers across the board, but it does happen that controls don’t apply. Just have your reasoning in place.
You can also consider if you do not secure software development then that section does not apply. If you are fully remote, then many of the controls on physical security would not apply.
You just record and state the reason. Now you don’t have to worry about them.
6. Regularly review the applicability of the controls
The applicability of controls needs to be reviewed regularly.
You will review this when ever there is a significant change and at least once a year.
In your Statement of Applicability you are going record the date that each control was last assessed.
For good document mark-up you will have version control on your document that shows when the main review took place.
Anyone looking is going to come and look and say – I want to see a date in here that is some point within the last 12 months.
This shows this document is fresh and you’ve recently gone through that review.
7. Keep meeting minutes of the ISO 27001 control review
Now a top tip is that you would always have minutes for meetings where you had recorded that this had been signed off and approved by the management review meeting, so you want to tie those two together.
How to Implement It
Implementing your SoA means putting your plans into action. If your SoA says you’ll use two-factor authentication, you need to make sure you’ve actually set it up. It’s all about making sure what you wrote on paper is what you’re doing in real life. This is the part where you make your security promises a reality.
Examples of using it for small businesses
Imagine you run a small online shop. Your SoA might say you’ll use encryption to protect customer payment info. You’d also note that because you don’t have a large physical office, you won’t use controls for physical security like security guards.
Examples of using it for tech startups
If you’re a new app company, your SoA would focus on things like secure coding practices and regular security testing. You’d probably also decide to use controls for access control to ensure only authorised people can see sensitive data.
Examples of using it for AI companies
As an AI company, you’d likely have a strong focus on data privacy. Your SoA would include controls related to the anonymization of data. You’d also mention how you protect your unique AI models from being stolen.
How the ISO 27001 Toolkit Can Help
An ISO 27001 toolkit is a lifesaver. It’s a package of pre-made documents, templates, and guides. It helps you quickly put together your SoA, saving you a ton of time and effort. It takes the guesswork out of the process, making it much easier to achieve certification.
Information Security Standards That Need It
The Statement of Applicability is a core part of the ISO 27001 standard. You won’t find it in other standards, but many of them, like SOC 2 or NIST, have similar requirements for documenting security controls. The SoA is unique to ISO 27001, making it a key part of that specific certification. Other standards that may benefit include:
- CCPA (California Consumer Privacy Act)
- DORA (Digital Operational Resilience Act)
- NIS2 (Network and Information Security (NIS) Directive)
- SOC 2 (Service Organisation Control 2)
- NIST (National Institute of Standards and Technology)
- HIPAA (Health Insurance Portability and Accountability Act)
- GDPR (General Data Protection Regulation)
List of Relevant ISO 27001:2022 Controls
The ISO 27001 Statement Of Applicability is defined in ISO 27001 clause 6.1.3 Information Security Risk Treatment
How do you decide what controls to include in a Statement of Applicability (SoA)?
You decide on the controls to include in the Statement of Applicability (SoA) in a number of different ways.
The main approach to identifying the controls that you need is:
- Define the scope of your information security management system (ISMS)
- Conduct a risk assessment to identify information security risks
- Choose controls from ISO 27001 Annex A that mitigate those risks.
As a minimum that list of controls is going to include the ISO 27001 Annex A controls. That forms the bare minimum part of the ISO 27001 certification. And to be fair is often enough.
Of course, there may be additional controls that you’re going to record as well that you are implementing either from other standards or from direct requests from your customers.
Additional customer requirements would be captured on your legal and contractual register and the actual controls would be added to your Statement of Applicability (SoA).
As a basic requirement we are going to make a start and we are going to include the ISO 27001 Annex A controls and list them.
The list of ISO 27001 Annex A controls is going to be used many times.
What if the Statement of Applicability (SoA) controls don’t apply?
It is very possible that the list of controls provided in the ISO 27001 Annex A controls includes controls that do not apply to your organisation.
So what should you do? Implement them anyway to pass the ISO 27001 certification?
No.
The approach that you take is record in the Statement of Applicability (SoA) that the controls do apply to you and you state the reason that they do not apply.
If you do not have physical premises and remote work then it is highly possible that the Physical Security Controls such ISO 27001 Annex A Control 7.1 Physical security perimeter, ISO 27001 Annex A Control 7.2 Physical entry controls that apply to data processing facilities will not apply to you. If you do not do software development then the software development controls such as ISO 27001 Annex A 8.25 Secure Development Life Cycle do not apply to you.
Have a complete list but show and record the controls that are not applicable stating the reason why.
As a top tip it would be my recommendation to record all of the out of scope controls on the risk register and manage them through the risk management process which includes accepting the risk and documenting the decision as evidence.
ISO 27001 Statement of Applicability Example
The Statement of Applicability example is what a Statement of Applicability would look like for ISO 27001.
This statement of applicability ISO 27001 example is taken directly from the High Table ISO 27001 Statement of Applicability Template.
ISO 27001 Statement of Applicability FAQ
What is an ISO 27001 Statement of Applicability?
It is the document that lists the ISO 27001 Annex A business controls and records if they apply to you or not. It can also record any additional controls that your business has implemented, for example those imposed by customers. It states why the control applies to your business and if it does not apply, why it does not apply.
How do you write an ISO 27001 Statement of Applicability?
List out the ISO 27001 Annex Controls in a table. Add columns for whether it applies to you or not. Add columns for why it applies such as business, legal, risk, customer. Add a column for why it doesn’t apply for those controls that do not that is used to explain why it does not apply. Include columns for last reviewed date and next review date. Consider including a brief description of the control you have implemented to satisfy the requirement. You can view in this short tutorial.
What is an ISO 27001 SoA document?
It is another name for the statement of applicability document, the ISO 27001 Statement of Applicability (SoA).
Where can I download an ISO 27001 Statement of Applicability template?
An ISO 27001 Statement of Applicability template can be downloaded from High Table: The ISO 27001 Company.
Where can I get an ISO 27001 Statement of Applicability PDF?
The ISO 27001 Statement of Applicability PDF is a detailed PDF that shows you exactly what is required for ISO 27001 certification. It is a free PDF download.
What is the best format for a ISO 27001 statement of applicability?
In our experience an excel spreadsheet works best, so a Statement of Applicability xls.
Is the statement of applicability required for ISO 27001 certification?
Yes. The it is a requirement of ISO 27001 certification.
We need to understand what controls the business has chosen to implement as part of its information security management framework.
How do I make an ISO 27001 statement of applicability?
You make a statement of applicability by creating a spreadsheet and listing out the controls that are defined in ISO 27001 and then recording if they are applicable to you or not. If they are not you record the reason why they are not.
Is an ISO 27001 Statement of Applicability confidential?
No. The statement of applicability is not confidential. It is a list of the controls you have implemented and may well be requested by customers and clients.
How long does it take to write an ISO 27001 Statement of Applicability ?
It should take about a day to create a statement of applicability from scratch. The main time sink is in copying and pasting from the standard and then putting in the correct and required columns. Then completing the document.
Who owns the ISO 27001 Statement of Applicability?
The owner of the statement of applicability will be decided by the business but it is good practice to assign it to a member of the board or senior leadership team as it has a direct impact on the business.
Who do I share an ISO 27001 Statement of Applicability with?
It will be shared with auditors for ISO 27001 certification. It can be requested by clients and customers.
You share the statement of applicability with anyone that asks for it and that you want to share it with.
Can I put the ISO 27001 Statement of Applicability on my website?
It would be recommended and best practice to put your ISO 27001 certification on your website and make the statement of applicability available on request.
Can I remove controls from the ISO 27001 Statement of Applicability?
You would not remove controls from the statement of applicability but if they do not apply to you you would record that they are not applicable and state the reason why. This approach shows that you considered it, understood it, assessed it and deemed in was not applicable rather than did not know about it or forgot to include it.
Can I add controls to an ISO 27001 Statement of Applicability?
Yes. You can add as many controls as are appropriate to your organisation as long as you have the ISO 27001 Annex A controls listed as a minimum.
What if an ISO 27001 Statement of Applicability control does not apply to me?
If they do not apply to you you would record that they are not applicable and state the reason why. This approach shows that you considered it, understood it, assessed it and deemed in was not applicable rather than did not know about it or forgot to include it.
Do I need a statement of applicability for ISO 27001 certification?
Yes. It is the list of controls you have implemented and the auditor will need to know what to audit.
What does SoA mean?
SoA means Statement of Applicability.
What is the purpose of the ISO 27001 Statement of Applicability?
To communicate the information security controls that you have implemented. This will provide a level of assurance that the controls you have meet the needs and demands of your clients and customers.
Is the SoA the same as a risk assessment?
No, the risk assessment tells you what risks you have, and the SoA tells you how you’ll deal with them.
How often should I update my SoA?
You should review it at least once a year, or whenever your business changes in a big way.
Can I get certified without an SoA?
No, the SoA is a mandatory document for ISO 27001 certification.
Does my SoA have to be public?
No, it’s an internal document you share with your auditor.
Is there a tool that can help me write it?
Yes, an ISO 27001 toolkit is a great place to start.
What’s the difference between ISO 27001:2013 and ISO 27001:2022 SoA?
The 2022 version has a new list of controls, so you’ll need to update your SoA to match.
Do all 93 controls need to be in my SoA?
Yes, you must list all of them and justify why you’re using or not using each one.
What if a control doesn’t apply to my business?
You still need to list it in your SoA and explain why it’s not relevant.
Who is responsible for the SoA?
Usually, the person in charge of information security, like a CISO or IT manager, is responsible.
How long does it take to write an SoA?
It depends on your company’s size, but it can take a few weeks to a few months.
Do I need a lawyer to write my SoA?
No, you can write it yourself, but a consultant can help if you’re unsure.
Can my company still be certified if we don’t use all the controls?
Yes, as long as you have a good reason for not using them and it doesn’t create a security risk.
What is a justification?
It’s the reason you give for choosing a specific control.
Is the SoA a technical document? I
It can be, but it’s more of a management document.
What happens if an auditor finds a mistake in my SoA?
They might give you a non-conformity, and you’ll have to fix it before you can get certified.
