ISO 27001 Statement of Applicability: Ultimate Guide

Home / ISO 27001 Templates / ISO 27001 Statement of Applicability: Ultimate Guide

ISO 27001 Statement of Applicability

The ISO 27001 Statement of Applicability documents the information security controls that apply to your business and is a key document in the information security management system (ISMS). It is one of the first documents and auditor will normally ask for. As a minimum it lists all of the ISO 27001 Annex A controls and records if they apply to your business or not. If not, it will record why not.

In this ultimate guide I show you everything you need to know about the ISO 27001 Statement of Applicability (SoA) .

You will learn

  • What is an ISO 27001 Statement of Applicability?
  • How to create an ISO 27001 Statement of Applicability

What is an ISO 27001 Statement of Applicability?

A Statement of Applicability (SoA) is the list of information security controls that you are applying into your organisation. That Statement of Applicability is a mandatory document required for ISO 27001 certification.

ISO 27001 Statement of Applicability Purpose

The purpose of the ISO 27001 Statement of Applicability is to be able to communicate to auditors, staff and third parties, which of the ISO 27001 Annex A controls your organisation has applied.

As all the ISO 27001 Annex A controls are not mandatory it helps people to understand the controls that you have applied to support your ISO 27001 certification.

It is possible for people to be ISO 27001 certified with very few Annex A controls and as such the Statement of Applicability document is the second most requested document after the actual ISO 27001 certificate.

ISO 27001 Statement of Applicability Definition

The ISO 27001 Statement Of Applicability is defined in ISO 27001 clause 6.1.3 Information Security Risk Treatment as:

produce a Statement of Applicability that contains:

— the necessary controls 

— justification for their inclusion;

— whether the necessary controls are implemented or not; and

— the justification for excluding any of the Annex A controls

ISO27001:2022 Clause 6.1.3 d Statement of Applicability

ISO27001:2022 Statement of Applicability

The ISO 27001 Standard changed in 2022 and with it the list of controls changed.

You can find all of the ISO27001:2022 Statement of Applicability controls in the ISO27001:2022 Annex A Controls Reference Guide.

To see what has change, what is new, what was removed and what changed you can read the The Complete Guide to Changes to the ISO 27002 Standard .

What that means is that when you go for your ISO 27001 certification you should speak to the certification body and clarify with them which control set, ie which version of the ISO 27001 standard or list of controls, they are going audit and certify you against.

Why is an ISO 27001 Statement of Applicability important?

The Statement of Applicability is a document that you’re always asked for.

You are going to be asked for it by the auditors and you are going to be asked for it by third parties such as your clients and potential clients.

In fact, anybody looking at your information security management system will want to know what the statement of applicability is.

The Statement of Applicability (SoA) is important because it lists out the controls that your organisation has implemented for information security.

What people want to know is what is the scope of your ISO 27001 certification, in other words what does the certificate cover, and what are the information security controls that you have implemented to protect it.

When it comes time for the ISO 27001 certification audit the certification body is going to ask for the Statement of Applicability (SoA) so that they know what controls they are auditing.

ISO 27001 Controls

Information security controls are controls that mitigate information security risks.

Information security is about the confidentiality, integrity and availability of data.

ISO 27001 includes an Annex A which is a list of common information security controls for you to consider that are known to mitigate information security risks.

ISO 27001 Annex A is based on the ISO 27002:2022 standard which sets out the information security controls with a detailed implementation guidance.

You can read the difference between ISO 27001 and ISO 27001 and also see a list of all the ISO 27001 controls.

How do you decide what controls to include in a Statement of Applicability (SoA)?

You decide on the controls to include in the Statement of Applicability (SoA) in a number of different ways.

The main approach to identifying the controls that you need is:

  1. Define the scope of your information security management system (ISMS)
  2. Conduct a risk assessment to identify information security risks
  3. Choose controls from ISO 27001 Annex A that mitigate those risks.

As a minimum that list of controls is going to include the ISO 27001 Annex A controls. That forms the bare minimum part of the ISO 27001 certification. And to be fair is often enough.

Of course, there may be additional controls that you’re going to record as well that you are implementing either from other standards or from direct requests from your customers.

Additional customer requirements would be captured on your legal and contractual register and the actual controls would be added to your Statement of Applicability (SoA).

As a basic requirement we are going to make a start and we are going to include the ISO 27001 Annex A controls and list them. 

The list of ISO 27001 Annex A controls is going to be used many times. 

What if the Statement of Applicability (SoA) controls don’t apply?

It is very possible that the list of controls provided in the ISO 27001 Annex A controls includes controls that do not apply to your organisation.

So what should you do? Implement them anyway to pass the ISO 27001 certification?

No.

The approach that you take is record in the Statement of Applicability (SoA) that the controls do apply to you and you state the reason that they do not apply.

If you do not have physical premises and remote work then it is highly possible that the Physical Security Controls such ISO 27001 Annex A Control 7.1 Physical security perimeter, ISO 27001 Annex A Control 7.2 Physical entry controls that apply to data processing facilities will not apply to you. If you do not do software development then the software development controls such as ISO 27001 Annex A 8.25 Secure Development Life Cycle do not apply to you.

Have a complete list but show and record the controls that are not applicable stating the reason why.

As a top tip it would be my recommendation to record all of the out of scope controls on the risk register and manage them through the risk management process which includes accepting the risk and documenting the decision as evidence.

How to create an ISO 27001 Statement of Applicability

Follow this simple step-by-step guide to create your ISO 27001 Statement of Applicability.

1. Buy a copy of the ISO27002:2022 standard

Whilst the controls are listed in ISO 27001 Annex A the actual implementation guidance is include in ISO 27002.

Most people would make a start by buying a copy of the standard.

You should always buy a copy of the standard.

Then you would work through the standard of ISO 27002, and laboriously copy and paste the controls into a spreadsheet.

The standard is not set out in a way to make this easy for you. It will take you a long time if you do it yourself.

It can be a massive time sink.

I see people always start at this point and then pretty much get to the end of this step, realise the time involved and then look to get help such as the ISO 27001 Statement of Applicability Template that has done all the hard work for you. 

2. Create your Microsoft Excel Spreadsheet

Create a Microsoft Excel Spreadsheet and add columns for the ISO 27001 Annex A Control, Title, Control Objective, The reason the control is required, whether the control is applicable, the date it was last assessed and if it is not applicable the reason why. This is the basic structure.

3. Add each ISO 27002 control as a row in the Statement of Applicability Spreadsheet

You are going to take the ISO 27001 Annex A Control number and the title directly from the standard and you are going to take the control objective and you are going to copy and paste that into the spreadsheet.

4. Document the reason why the control applies to you

Then you are going to look at the drivers that you have considered in implementing the control.

You will NOT want to say that you have implemented it because the standard says you have to, which is factually correct, but is not what the auditor for ISO 27001 certification wants to hear.

Whether true or not, you want to be able to say why you implemented the control, so we are going to record for simplicity the main reasons of

  • Contract Reason
  • Legal Reason
  • Risk Reason
  • Business Reason

5. Document which controls do not apply to you

It may well be that there are ISO 27001 Annex A controls that you do not need. This is perfectly fine.

Reasons for controls not applying to you can include that you do not have risks that they mitigate or they reference something you simply do not have, such as physical premises.

You are still going to record the control in the statement of applicability but you are going to record that it is not in-scope. In other words, it does not apply to you. In addition you will record the reason that it does not apply to you.

At your ISO 27001 certification the auditor wants to see why you think a particular control doesn’t apply to you.

It is rare that controls don’t apply to people as it’s an international standard and it covers across the board, but it does happen that controls don’t apply. Just have your reasoning in place.

You can also consider if you do not secure software development then that section does not apply. If you are fully remote, then many of the controls on physical security would not apply.

You just record and state the reason. Now you don’t have to worry about them.

6. Regularly review the applicability of the controls

The applicability of controls needs to be reviewed regularly.

You will review this when ever there is a significant change and at least once a year.

In your Statement of Applicability you are going record the date that each control was last assessed.

For good document mark-up you will have version control on your document that shows when the main review took place.

Anyone looking is going to come and look and say – I want to see a date in here that is some point within the last 12 months.

This shows this document is fresh and you’ve recently gone through that review.

7. Keep meeting minutes of the ISO 27001 control review

Now a top tip is that you would always have minutes for meetings where you had recorded that this had been signed off and approved by the management review meeting, so you want to tie those two together. 

ISO 27001 Statement of Applicability: Video Guide

In this short video tutorial we show you how to create and use the Statement of Applicability for ISO 27001.

ISO 27001 Statement of Applicability 2022 Template

The ISO 27001 Statement of Applicability 2022 Template used in this guide is available to download. This is an ISO 27001 statement of applicability excel worksheet that is fully populated with all of the required controls and fully meets the requirements for ISO 27001 certification.

ISO 27001 Statement of Applicability Template

DO IT YOURSELF ISO 27001

All the templates, tools, support and knowledge you need to do it yourself.

ISO 27001 Statement of Applicability Example

The Statement of Applicability example is what a Statement of Applicability would look like for ISO 27001.

This statement of applicability ISO 27001 example is taken directly from the High Table ISO 27001 Statement of Applicability Template.

Example ISO 27001 Statement of Applicability

For a more detailed ISO 27001 statement of applicability example the ISO 27001 Statement of Applicability PDF shows what is required for ISO 27001 certification.

ISO 27001 Statement of Applicability FAQ

What is an ISO 27001 Statement of Applicability?

It is the document that lists the ISO 27001 Annex A business controls and records if they apply to you or not. It can also record any additional controls that your business has implemented, for example those imposed by customers. It states why the control applies to your business and if it does not apply, why it does not apply.

How do you write an ISO 27001 Statement of Applicability?

List out the ISO 27001 Annex Controls in a table. Add columns for whether it applies to you or not. Add columns for why it applies such as business, legal, risk, customer. Add a column for why it doesn’t apply for those controls that do not that is used to explain why it does not apply. Include columns for last reviewed date and next review date. Consider including a brief description of the control you have implemented to satisfy the requirement. You can view in this short tutorial.

What is an ISO 27001 SoA document?

It is another name for the statement of applicability document, the ISO 27001 Statement of Applicability (SoA).

Where can I download an ISO 27001 Statement of Applicability template?

An ISO 27001 Statement of Applicability template can be downloaded from High Table: The ISO 27001 Company.

Where can I get an ISO 27001 Statement of Applicability PDF?

The ISO 27001 Statement of Applicability PDF is a detailed PDF that shows you exactly what is required for ISO 27001 certification. It is a free PDF download.

What is the best format for a ISO 27001 statement of applicability?

In our experience an excel spreadsheet works best, so a Statement of Applicability xls.

Is the statement of applicability required for ISO 27001 certification?

Yes. The it is a requirement of ISO 27001 certification.

We need to understand what controls the business has chosen to implement as part of its information security management framework.

How do I make an ISO 27001 statement of applicability?

You make a statement of applicability by creating a spreadsheet and listing out the controls that are defined in ISO 27001 and then recording if they are applicable to you or not. If they are not you record the reason why they are not.

Is an ISO 27001 Statement of Applicability confidential?

No. The statement of applicability is not confidential. It is a list of the controls you have implemented and may well be requested by customers and clients.

How long does it take to write an ISO 27001 Statement of Applicability ?

It should take about a day to create a statement of applicability from scratch. The main time sink is in copying and pasting from the standard and then putting in the correct and required columns. Then completing the document.

Who owns the ISO 27001 Statement of Applicability?

The owner of the statement of applicability will be decided by the business but it is good practice to assign it to a member of the board or senior leadership team as it has a direct impact on the business.

Who do I share an ISO 27001 Statement of Applicability with?

It will be shared with auditors for ISO 27001 certification. It can be requested by clients and customers.

You share the statement of applicability with anyone that asks for it and that you want to share it with.

Can I put the ISO 27001 Statement of Applicability on my website?

It would be recommended and best practice to put your ISO 27001 certification on your website and make the statement of applicability available on request.

Can I remove controls from the ISO 27001 Statement of Applicability?

You would not remove controls from the statement of applicability but if they do not apply to you you would record that they are not applicable and state the reason why. This approach shows that you considered it, understood it, assessed it and deemed in was not applicable rather than did not know about it or forgot to include it.

Can I add controls to an ISO 27001 Statement of Applicability?

Yes. You can add as many controls as are appropriate to your organisation as long as you have the ISO 27001 Annex A controls listed as a minimum.

What if an ISO 27001 Statement of Applicability control does not apply to me?

If they do not apply to you you would record that they are not applicable and state the reason why. This approach shows that you considered it, understood it, assessed it and deemed in was not applicable rather than did not know about it or forgot to include it.

Do I need a statement of applicability for ISO 27001 certification?

Yes. It is the list of controls you have implemented and the auditor will need to know what to audit.

What does SoA mean?

SoA means Statement of Applicability.

What is the purpose of the ISO 27001 Statement of Applicability?

To communicate the information security controls that you have implemented. This will provide a level of assurance that the controls you have meet the needs and demands of your clients and customers.