The 6 Steps to Write an ISO 27001 Statement of Applicability [+Template]

  • May 23, 2023
Author

Emily Bonnie

Reviewer

Cavan Leung

ISO 27001 certification requires a lot of documentation. An information security policy, a risk assessment and risk treatment plan, a formal internal audit process, Annex A documents, and the Statement of Applicability to name just a few. 

With such extensive requirements, creating all of these documents can be challenging and time-consuming. Having access to a simple explanation of what’s needed along with real examples and templates can speed the process up significantly and provide peace of mind for your audit. 

Below, get straightforward answers to what the ISO/IEC 27001 Statement of Applicability is, why it’s important, and how to write one. You’ll also find an ISO 27001 Statement of Applicability template and an ISO 27001 Statement of Applicability example to simplify the process. 

What is an ISO 27001 Statement of Applicability?

A Statement of Applicability is required for ISO 27001 certification. It’s a statement that explains which ISO 27001 Annex A security controls are — or aren’t — applicable to your organization’s information security management system (ISMS). 

According to clause 6.1.3, a Statement of Applicability should: 

  • List the information security controls an organization has selected to mitigate risk
  • Explain why these controls were chosen for your ISMS
  • State whether the applicable controls have been fully implemented
  • Explain why any controls were excluded

A common question: given the level of information it includes, is a Statement of Applicability confidential? Yes. These statements are designed to be confidential internal documents that should only be shared with your auditor. 

The Ultimate Guide to ISO 27001

If you’re looking to build a compliant ISMS and achieve certification, this guide has all the details you need to get started.

Why the ISO 27001 Statement of Applicability matters 

The Statement of Applicability is the foundational document for ISO 27001. It defines which of the suggested 114 controls from Annex A you will implement and how — and the reasons why you’ve chosen not to implement certain ISO 27001 controls. It also details why each control is needed and whether it has been fully implemented.

Even putting ISO 27001 certification requirements aside, the Statement of Applicability is an incredibly useful document. Here are a few other reasons your Statement of Applicability is so important: 

It helps put your data security strategy into practice

ISO 27001 requires that every ISMS account for and document the organization’s legal, regulatory, and contractual commitments around information security. It also requires a detailed description of how you meet those requirements. 

Your Statement of Applicability helps you define exactly which controls you’re using to uphold those business-critical commitments. 

It can also help focus your efforts on achieving a compliant ISMS by acting as the link between your risk assessment and your risk treatment plan. What threats does your business face (risk assessment), how do you plan to prioritize and mitigate them (risk treatment plan), and what does that look like in practice (Statement of Applicability)?

It guides your internal and certification audits

During your ISO 27001 certification audit, the Statement of Applicability acts as the central document for your auditor to check whether your controls actually work the way you say they do. It will also be a focal point for your periodic internal security audits and help you fulfill your requirements to continuously review and improve your ISMS. 

By listing out every control you’ve implemented, you’ll get a snapshot of how effectively you’re managing risk and whether there might be a better approach. And because you’ll need to review this document at least annually, it will help you stay aware of any changes to the threat landscape that might signal a change in your strategy. Maybe a risk you previously accepted has increased in likelihood and you decide to implement a new control. 

Note that the version number and date on the SOA document need to match the one listed on your ISO 27001  certificate, so when a customer asks, they'll know they're looking at the right reference.

It provides a working document for monitoring and improving your ISMS 

While the Statement of Applicability is an important tool for your certification audit, it isn’t just for your auditor’s benefit. Its central value is as a tool for your organization to monitor and improve your ISMS. 

Think of it as a snapshot overview of how your organization practices information security — a working list of every control, why it’s needed, and a description of how it actually works. It can help you and others in your organization (like board members and investors) understand how and why you manage certain information security risks and accept others. 

How to write an ISO 27001 Statement of Applicability

Now it’s time to put pen to paper (or fingers to keyboard) and create your Statement of Applicability document. We’ve broken the process down into six steps to guide you through it. 

1. Identify and analyze risks to your ISMS 

Complete an ISO 27001 risk assessment by listing all of your information assets and identifying data and cybersecurity threats for each one. 

With your risk assessment report in hand, you can then rank and prioritize risks based on likelihood and impact, assign a risk owner, and create a plan for closing any vulnerabilities. You can find an ISO 27001 risk assessment template here

2. Define your risk treatment plan

Now that you have a list of identified risks, you’ll need to decide what security measures to take for each of them. A risk treatment plan is a document that summarizes each risk, assigns an owner for each one, details how you plan to mitigate or accept each risk, and the expected timeline to remediate any nonconformities.

The ISO 27001 standard defines four risk treatment options: 

  • Treat the risk with security controls that reduce the likelihood it will occur 
  • Avoid the risk by preventing the circumstances where it could occur 
  • Transfer the risk to a third party (i.e., outsource security efforts to another company, purchase insurance, etc.) 
  • Accept the risk if the cost of addressing it is greater than the potential damage 

3. Choose the security controls you’ll use to mitigate risks

Once you’ve identified the risks you want to address, you can choose the necessary controls to reduce their likelihood or impact. Use Annex A and ISO 27002 as your guide to review recommended controls and select the ones most suitable for your organization. 

For example, a risk to data security is employees using weak or shared passwords. One possible control would be to establish a strong password policy or implement a tool like 1Password company-wide. 

4. Create a list of the controls you won’t be using and the justifications why 

Sometimes it makes more sense for your business to accept a risk than treat it. For example, you wouldn’t want to spend $10k to avoid a $1k risk. 

Or perhaps the likelihood and/or impact of the threat are so insignificant that the risk is already at an acceptable level. A business based in Cleveland probably does not need expensive earthquake protections like seismic server racks. 

Document your decision not to treat certain risks in your ISO 27001 risk treatment plan. You’ll need that list when you complete your Statement of Applicability, and your auditor will want to see that you’re at least aware of the risks and have made an informed decision to accept them.  

5. Complete your Statement of Applicability document

List the controls recommended by Annex A, along with a statement on whether you applied each one and the reasons behind your decision. You’ll also list whether the control fulfills a legal, contractual, business, or compliance requirement, along with the date it was implemented. 

Because the Statement of Applicability lists each Annex A control and its corresponding details, most people organize it as a spreadsheet. That said, any document that can be broken up into sections will suffice. 

Here's an illustrative example organized in a spreadsheet:

6. Keep your Statement of Applicability up to date

Your Statement of Applicability is a living document. Because continuous improvement is an essential aspect of ISO 27001 standards, you’ll need to keep evaluating, adding, and adjusting your security controls over time. 

Your SoA should be regularly updated to reflect the controls you use and how you’ve changed them to strengthen your ISMS.

Download the ISO 27001 Statement of Applicability template

Use our ISO 27001 Statement of Applicability template to simplify the process of creating your own SoA.

ISO 27001 Statement of Applicability FAQs

What is an ISO 27001 Statement of Applicability?

An ISO 27001 Statement of Applicability explains which Annex A security controls are — or aren’t — applicable to your organization’s ISMS. If a control isn’t applicable, an explanation is necessary. 

Is a Statement of Applicability an ISO 27001 requirement?

Yes, a Statement of Applicability is required for ISO 27001 certification.

How do you write an ISO 27001 Statement of Applicability?

Because they contain a list of Annex A controls and how they’ve been implemented in your organization, most Statements of Applicability are formatted as a spreadsheet. List each Annex A control, indicate whether it’s been applied and a justification, specify a control owner, and include the date it was implemented and last assessed. 

Statements of Applicability are living documents that will change as you continually improve your ISMS, so you’ll likely want to include some kind of version history as well. 

What is an SoA document?

An SoA is an acronym for Statement of Applicability. It’s the same document. 

Where can I find an ISO 27001 Statement of Applicability template for download?

You can find a free ISO 27001 Statement of Applicability Excel template for download here

What is an ISO 27001 Statement of Applicability justification?

If you decide not to implement an Annex A control, you’ll need to explain (or justify) the reasons why it’s not applicable to your ISMS.

What is ISO 27001:2022?

ISO 27001:2022 is the latest edition of the ISO standard, published in October 2022. Overall, the updates in the ISMS Clauses 4-10 include minor wording and structural changes to clarify control objectives, and don’t impact the Statement of Applicability requirement.

Streamline ISO 27001 certification with Secureframe

Congrats! You’ve completed your ISO 27001 Statement of Applicability. As you get ready for your certification audit, you’ll likely have hundreds of other documents to collect, organize with the right controls, and keep up-to-date. 

Secureframe's compliance automation platform can simplify and streamline the entire process of preparing for and maintaining your ISO 27001 certification. We’ll help you build a compliant ISMS, monitor your tech stack for vulnerabilities, and assist with risk management. We also help you map your ISO 27001 controls to prove compliance with other frameworks such as SOC 2, PCI DSS, NIST, GDPR, and more. Schedule a demo today to learn more.