The ISO 27001:2013 Statement of Applicability (SoA): Simplified

The Statement of Applicability (SoA) forms a fundamental part of your information security management system (ISMS) and, together with the Scope, as described in 4.3 of ISO 27001:2013, will offer assurance to your auditors and other interested parties, of the depth and breadth of your ISMS.

The importance of the Statement of Applicability

The Scope identifies the breadth, or the boundaries, of your ISMS, whether it be by product, department, geography, or other criteria.

The SoA gives confidence in the depth of your ISMS, describing which of the 114 ISO 27001:2013 Annex A controls have been implemented and those that haven’t.

For this reason, it is also one of the key documents an auditor will refer to in his ISO 27001 Certification (Stage 2) audit where, armed with the SoA, he will look for physical evidence that the organisation has satisfactorily implemented the controls it has claimed to.

How do you know which controls to include?

The SoA is the main link between your risk assessment and treatment and how you implement information security. It shows which security measures (Annex A controls) you are using and how you have implemented them (your policy). Where controls are needed to manage the risks identified, the proper controls must be selected.

Fortunately, ISO 27002 provides a very good catalogue of control objectives and controls for the treatment of risks as well as guidance on how to implement them. It’s why we also recommend buying ISO 27001 and 27002 together*.

But the SoA also identifies controls needed for other reasons such as in managing applicable legislation, contracts, or because of other controls or processes.

To summarise, identify the risks around your valuable information, including to its Confidentiality, Integrity, and Availability (CIA). But also consider the risks posed by regulations (Applicable Legislation), which is gaining much more prominence because of EU GDPR for those processing EU Citizen information. You’ll also need to consider other internal and external issues as well as other aspects introduced by Interested Parties, for example customer or supplier contracts.

Now, what security measures (Annex A controls) must you deploy to manage those risks will actually depend on your organisation, its risk appetite and the scope. But whatever it is, it needs to be presented in the SOA.

What information needs to be included in the SoA

  • A list of the 114 Annex A controls
  • Whether the control is implemented or not
  • Justification for its inclusion or exclusion
  • A brief description of how each applicable control is implemented, with reference to the (policy and control) that describes it in the right detail

How to save time when writing your SoA

The SoA typically takes a large amount of time for an organisation to put together. If we think about the steps involved in it’s creation it’s little wonder:

  1. Identify risks associated with the security of all information assets in terms of CIA, applicable legislation and contracts
  2. Assess those risks and then decide on which of the 114 Annex A controls are needed in their management
  3. Decide on how to implement the control in terms of procedure, people, technology in order to create the policy
  4. Then create the SoA document itself

Using you can wipe weeks of work off the above:

  • Use ISO 27001 certified tools for the identification, evaluation and treatment of risks, in terms of CIA, Applicable Legislation and Interested Parties
  • Draw down  from over 100 risks that already include links to the common Annex A controls used in their management
  • Evaluate the impact and likelihood of the risk using a proven methodology and policy included in the software, all dynamically updated, version controlled and visible to colleagues for effective collaboration
  • Adopt, adapt or add to the policies, tools and frameworks already included in the system that will give you a head start of up to 77%
  • Let the software dynamically create your SoA, linked to the policies and controls,  ready to export or share with interested parties you choose to grant user access to your platform
  • Focus your energy on running your business the way you want to, and spend time on what you need to achieve for success, worrying less about how to do it. just makes it all so easy to get your work done at a fraction of the cost and time of alternatives

In the giant jigsaw puzzle that is your ISMS, tying it all together in one secure environment (with a host of other tools and processes to make it simpler) will help you, your colleagues and interested parties navigate it quickly and with ease.


It has never been easier to demonstrate the depth and breadth of a trusted ISMS with

Need a solution for your ISO 27001 ISMS and SoA?

ISMS Online Rating: 5 out of 5
Share This