In this article we lay bare the ISO 27001 Statement of Applicability (SoA) . Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO 27001:2022 update. I am Stuart Barker the ISO 27001 Ninja and this is the ISO 27001 Statement of Applicability (SoA)
Table of contents
- What is a Statement of Applicability?
- Statement of Applicability 2022 Changes
- Step-by-step guide to writing the ISO 27001 Statement Of Applicability (SoA)
- How to create and use an ISO 27001 Statement of Applicability
- ISO 27001 Statement of Applicability Template
- Which version of the Statement of Applicability (SoA) is required?
- Why you need an ISO 27001 Statement of Applicability
- How do you decide what controls to include in a Statement of Applicability (SoA)?
- What if the Statement of Applicability (SoA) controls don’t apply?
- ISO 27001 Statement of Applicability Example
- ISO 27001 Statement of Applicability FAQ
What is a Statement of Applicability?
The Statement of Applicability (SoA) is the list of information security controls that you are applying into your organisation.
The list of controls is taken directly from ISO 27001 Annex A which is also a standard called ISO 27002.
You can read the difference between ISO 27001 and ISO 27001 and also see a list of all the ISO 27001 controls.
The SoA is one of the most important documents required for ISO 27001 and a fundamental part of your ISO 27001 certification.
Statement of Applicability 2022 Changes
It is worth noting at this point that there are two versions of the Statement of Applicability that could apply to your organisation. The ISO 27002 Standard changed in 2022 and with it the list of controls changed.
What that means is that when you go for your ISO 27001 certification you should speak to the certification body and clarify with them which control set, ie which version of the ISO 27002 standard or list of controls, they are going audit and certify you against.
You can read the The Complete Guide to Changes to the ISO 27002 Standard and what is in, what is out, and what has changed.
Step-by-step guide to writing the ISO 27001 Statement Of Applicability (SoA)
If you are dead set on writing this yourself from scratch you are going to need to set aside about 40 hours. You could buy the template and save yourself the time but here are the steps to follow to create an ISO 27001 Statement of Applicability from scratch.
Time needed: 1 hour
How to write an ISO 27001 Statement of Applicability (SoA)
- Buy a copy of the standard ISO 27002:2022
Most people would make a start by buying a copy of the standard. You should always buy a copy of the standard. Then you would work through the standard of ISO 27002, and laboriously copy and paste the controls into a spreadsheet.
The standard is not set out in a way to make this easy for you. It will take you a long time if you do it yourself. It can be a massive time sink. I see people always start at this point and then pretty much get to the end of this step, realise the time involved and then look to get help. - Create your Microsoft Excel Spreadsheet
Create a Microsoft Excel Spreadsheet and add columns for the ISO 27002 Clause, Title, Control Objective, The reason the control is required, whether the control is applicable, the date it was last assessed and if it is not applicable the reason why.
- Add each ISO 27002 control as a row in the Statement of Applicability Spreadsheet
You are going to take the clause and the title directly from the standard and you are going to take the control objective directly out of Annex A / ISO 27002 and you are going to copy and paste that into the spreadsheet.
- Document the reason why the control applies to you
Then you are going to look at the drivers that you have considered in implementing the control. You will want to say that you have implemented it because the standard says you have to, which is factually correct, but is not what the auditor for ISO 27001 certification wants to hear. Whether true or not, you want to be able to say why you implemented the control, so we are going to record for simplicity the main reasons of
Contract Reason
Legal Reason
Risk Reason
Business Reason - Record which controls do not apply to you
It may well be that there is no reason for a particular control, which is perfectly fine. You are still going to record it the Statement of Applicability, but you are going to record that it is not in-scope, i.e., it does not apply, and the reason that it does not apply to you.
At certification the auditor wants to see why you think a particular control doesn’t apply to you. It is rare that controls don’t apply to people as it’s an international standard and it covers across the board, but it does happen that controls don’t apply.
Consider if you do not secure software development then that section does not apply. If you are fully remote, then many of the controls on physical security would not apply.
You just record and state the reason. Now you don’t have to worry about them. - Regularly review the applicability of the controls
The applicability of controls needs to be reviewed regularly, well at least once a year and clearly before you take the certification audit.
You are therefore going record on here the date that each control was last assessed when you last did a review of whether or not that control was in scope or was not in scope.
For good document mark-up you will have version control on your document that shows when the main review took place.
Anyone looking is going to come and look and say – I want to see a date in here that is some point within the last 12 months.
This shows this document is fresh and you’ve recently gone through that review. - Keep meeting minutes of the ISO 27001 control review
Now a top tip is that you would always have minutes for meetings where you had recorded that this had been signed off and approved by the management review meeting, so you want to tie those two together.
How to create and use an ISO 27001 Statement of Applicability
ISO 27001 Statement of Applicability Template
The template used in this guide is available to download.
It will save you over 8 hours of work and fast track your implementation.
The Most Ruthlessly Effective and Aggressively Priced ISO 27001 Toolkit in the World.
Join over 1,500+ Empowered Consultants & Business Owners
Which version of the Statement of Applicability (SoA) is required?
It is a good practice to have both versions of the Statement Of Applicability.
At the moment certification bodies are still providing ISO 27001 certification against the ISO 27002:2013 ( the old version ) as they are not trained and geared up to certify against ISO 27002:2022.
This is why it is important to check with the certification body.
Having both versions of the Statement of Applicability (SoA) has a number of benefits:
- It will make you more secure as you will have a super set of all the information security controls
- It will future proof you for when the ISO 27001 Certification moves to certify against the new control set
- It will allow you to plan your migration to, and implementation of, the new controls
Why you need an ISO 27001 Statement of Applicability
The Statement of Applicability is a document that you’re often, in fact nearly always, asked for.
You are going to be asked for it by the auditors, you are going to be asked for it by third parties such as your clients and potential clients.
In fact, anybody looking at your information security management system will want to know what the statement of applicability is.
The Statement of Applicability (SoA) is important because it lists out the controls that your organisation has implemented for information security.
What people want to know is what is the scope of your ISO 27001 certification, in other words what does the certificate cover, and what are the information security controls that you have implemented to protect it.
When it comes time to perform the ISO 27001 the certification body is going to ask for the SoA so that they know what they are auditing.,
How do you decide what controls to include in a Statement of Applicability (SoA)?
You decide on the controls to include in the Statement of Applicability (SoA) in a number of different ways.
As a minimum that list of controls is going to include the Annex A Controls, often referred to as ISO 27002.
That forms the bare minimum part of the ISO 27001 certification. And to be fair is often enough.
Of course, there may be additional controls that you’re going to record as well that you are implementing either from other standards or from your direct requests from your customers.
These requirements would be captured on your legal and contractual register and the actual controls would be record in your Statement of Applicability (SoA).
As a basic requirement we are going to make a start and we are going to make include the Annex A / ISO 27002 controls and list them.
The list of Annex A / ISO 27002 controls is going to be used many times.
What if the Statement of Applicability (SoA) controls don’t apply?
It is very possible that the list of controls provided by ISO 27001 Annex / ISO 27002 includes controls that do not apply to your organisation.
So what should you do? Implement them anyway to pass the ISO 27001 certification?
No.
The approach that you take is record in the Statement of Applicability (SoA) that the controls do apply to you and you state the reason that they do not apply.
If you do not have physical premises and remote work then it is highly possible that the Physical Security Controls that apply to data processing facilities will not apply to you. If you do not do software development then the software development controls do not apply to you.
Have a complete list but show and record the controls that are not applicable stating the reason why.
ISO 27001 Statement of Applicability Example
The Statement of Applicability example is what a Statement of Applicability would look like for ISO 27001 for both versions of the standard.
ISO 27001 Statement of Applicability FAQ
It is the document that lists the ISO 27001 Annex A business controls and records if they apply to you or not. It can also record any additional controls that your business has implemented, for example those imposed by customers. It states why the control applies to your business and if it does not apply, why it does not apply.
List out the ISO 27001 Annex Controls in a table. Add columns for whether it applies to you or not. Add columns for why it applies such as business, legal, risk, customer. Add a column for why it doesn’t apply for those controls that do not that is used to explain why it does not apply. Include columns for last reviewed date and next review date. Consider including a brief description of the control you have implemented to satisfy the requirement. You can view in this short tutorial.
It is another name for the statement of applicability document.
An statement of applicability document template can be downloaded from High Table: The ISO 27001 Company.
In our experience a spreadsheet works best, so a Statement of Applicability xls.
Yes. The it is a requirement of ISO 27001 certification. We need to understand what controls the business has chosen to implement as part of its information security management framework.
You make a statement of applicability by creating a spreadsheet and listing out the controls that are defined in ISO 27001 and then recording if they are applicable to you or not. If they are not you record the reason why they are not.
No. The statement of applicability is not confidential. It is a list of the controls you have implemented and may well be requested by customers and clients.
It should take about a day to create a statement of applicability from scratch. The main time sync is in copying and pasting from the standard and then putting in the correct and required columns. Then completing the document.
The owner of the statement of applicability will be decided by the business but it is good practice to assign it to a member of the board or senior leadership team as it has a direct impact on the business.
You share the statement of applicability with anyone that ask for it that you want to share it with. It will be shared with auditors for ISO 27001 certification. It can be requested by clients and customers.
It would be recommended and best practice to put your ISO 27001 certification on your website and make the statement of applicability available on request.
You would not remove controls from the statement of applicability but if they do not apply to you you would record that they are not applicable and state the reason why. This approach shows that you considered it, understood it, assessed it and deemed in was not applicable rather than did not know about it or forgot to include it.
Yes. You can add as many controls as are appropriate to your organisation as long as you have the ISO 27002 controls listed as a minimum.
If they do not apply to you you would record that they are not applicable and state the reason why. This approach shows that you considered it, understood it, assessed it and deemed in was not applicable rather than did not know about it or forgot to include it.
Yes. It is the list of controls you have implemented and the auditor will need to know what to audit.
SoA means Statement of Applicability.
To communicate the information security controls that you have implemented. This will provide a level of assurance that the controls you have meet the needs and demands of your clients and customers.