GDPR | DORA | ISO 27001 | SOC 2
ISO 27001 Statement of Applicability (SoA)
The Statement of Applicability (SoA) serves as a foundational document within an organization's ISO/IEC 27001:2022 Information Security Management System (ISMS), outlining which security controls are relevant and how they are addressed. It lists all Annex A controls, defines whether each control is applicable or not, and justifies the inclusion or exclusion based on risk assessment. The SoA is crucial for both internal governance and external audits.
This guide explains the purpose of the SoA, its significance in ISO 27001 compliance, the steps to develop it, frequent pitfalls to avoid, and recommended best practices.
What is a Statement of Applicability (SoA)?
- Definition: Definition: A required document in ISO 27001 that details all Annex A controls, specifies their relevance to the organization, and provides reasons for their selection or omission.
- Purpose: Demonstrates the organization’s selected controls and reasoning, providing transparency in risk treatment.
- Reference: Required under ISO/IEC 27001:2022, Clause 6.1.3 d.
Why is the SoA Important?
- Provides evidence of risk-based control selection during audits.
- Ensures alignment between identified risks and implemented controls.
- Documents control exclusions with valid business or legal justification.
- Serves as a key reference point for the continuous management and operation of the ISMS.
Components of a Statement of Applicability
-
An organized list of 93 security controls from Annex A, categorized into four key domains:
- Organizational Controls: These address policies, roles, responsibilities, and governance structures that form the foundation of an organization’s information security framework.
- People Controls: Focused on managing human factors in security, including awareness programs, responsibilities, and disciplinary actions for non-compliance.
- Physical Controls: Measures to protect physical infrastructure, including facilities, equipment, and protection against unauthorized access to physical spaces.
- Technological Controls: Technical safeguards that secure data, systems, networks, and applications through controls like access management, encryption, and monitoring.
- Applicability Status (Applicable / Not Applicable).
- Justification for Inclusion or Exclusion.
- Control Implementation Status (Implemented / In Progress / Planned).
- References to Supporting Documents (Policies, Procedures, Risk Treatment Plans).
How to Create a Statement of Applicability
Step 1: Conduct a Risk Assessment
- Identify information security risks within your scope. Refer to this practical ISO 27001 implementation guide for more on risk assessment steps.
- Assess impact and likelihood to prioritize risks.
Step 2: Review Annex A Controls
- Analyze each control against identified risks.
- Consider legal, regulatory, and contractual obligations.
Step 3: Determine Applicability
- Mark each control as Applicable or Not Applicable.
- Provide justification for each decision.
Step 4: Define Control Status
- Specify if controls are Implemented, In Progress, or Planned.
Step 5: Reference Supporting Documents
- Link related policies, procedures, or evidence documents.
Step 6: Maintain and Review
- Keep the SoA updated during internal audits, management reviews, and organizational changes.
Common Mistakes in SoA Documentation
- Using generic templates without customization.
- Providing weak or no justification for excluded controls.
- Failing to update the SoA after control changes.
- Over-including unnecessary controls just to “look complete.”
Example SoA Entry
| Control | Applicability | Justification | Status | Reference | |
|---|---|---|---|---|---|
| A.5.1 - Information Security Policy | Applicable | Required to establish security governance framework. | Implemented | Information Security Policy FREE template | |
| A.7.4 - Physical Security | Not Applicable | Company operates remotely with no physical office premises. | Not Applicable | N/A |
Best Practices for a Robust SoA
- Customize controls based on actual business risks.
- Provide clear, risk-based justifications for exclusions.
- Maintain version control and document history.
- Ensure traceability by linking to specific documents and records.
Conclusion
The Statement of Applicability is not just a compliance formality; it’s a strategic document that reflects your organization's approach to managing information security risks. A well-constructed SoA demonstrates that you have a thoughtful, risk-driven ISMS framework in place. Keep it updated, ensure transparency, and use it as a reference point during audits and continuous improvement initiatives. Here's a step-by-step guide to ISO 27001 certification to help you prepare.Ensure transparency, and use it as a reference point during audits and continuous improvement initiatives.