What is an ISO 27001 Statement of Applicability?

An ISO 27001 Statement of Applicability (SoA) is a document that identifies the controls that an organization has implemented to address the information security risks it has identified through a risk assessment. The SoA is a key component of an ISO 27001 Information Security Management System (ISMS).

The purpose of the SoA is to provide a clear and concise summary of the controls that the organization has implemented, and to demonstrate how these controls address the risks identified during the ISO 27001 risk assessment. The SoA typically includes a list of controls, the control objectives, and a brief description of how each control is implemented.

The controls included in the SoA are based on Annex A of the ISO 27001 standard, which provides a framework of security controls. The SoA may include all of the Annex A controls, or only those that are relevant to the organization and the risks it faces.

In addition to listing the controls, the SoA also provides information about the status of each control, such as whether it is fully implemented, partially implemented, or not implemented at all. The SoA is a living document that is reviewed and updated regularly to ensure that it remains accurate and up-to-date.