The Statement of Applicability

The Statement of Applicability represents one of the most critical documents in the ISO 27001 certification process. It serves as the definitive record of which Annex A controls apply to the organization, which have been excluded, and the rationale behind each decision.

Purpose and Importance

The SoA bridges risk assessment with control implementation. It translates the theoretical risk treatment plan into a concrete list of security controls that the organization has selected, implemented, or chosen to exclude. Auditors examine the SoA closely because it reveals the organization's security thinking and control coverage.

Beyond audit requirements, the SoA provides operational value as a reference for understanding the organization's security control framework. Security teams use it to understand which controls exist and their implementation status. New employees can review it to understand the security landscape.

Required Content

For each of the ninety-three Annex A controls in ISO 27001:2022, the SoA must document whether the control is applicable or not applicable. For applicable controls, document the implementation status ranging from fully implemented through partially implemented to planned. For non-applicable controls, provide clear justification for exclusion.

Include references that link each control to the relevant risk assessment findings. Document where detailed control implementation guidance can be found. Provide pointers to policies, procedures, and technical documentation that support each control.

Justifying Exclusions

Controls can legitimately be excluded only when the associated risk does not exist within the organization's scope. For example, an organization with no mobile workforce might exclude mobile device controls. An organization that does not develop software might exclude secure development controls.

Exclusion justifications must be specific and defensible. Generic statements like "not applicable to our business" will not satisfy auditors. Instead, explain precisely why the risk addressed by the control does not exist or is managed through alternative means.

Maintaining Currency

The SoA must remain current as the organization evolves. New systems, processes, or business activities may bring previously excluded risks into scope. Changes to Annex A in new ISO 27001 versions require SoA updates. Risk reassessment may change which controls are necessary.

Establish a review cycle aligned with the overall ISMS review process. Update the SoA whenever significant changes occur. Maintain version control to track how the SoA evolves over time.