As a mandatory document (ISO 27001 Clause 6.1.3 d) for ISO 27001 certification, the Statement of Applicability (SOA) is a key bridge between the outcomes of the risk assessment and the risk treatment plan, and the implementation of information security controls within an organisation.
There are several mandatory components:
This makes the SOA a core document within the Information Security Management System (ISMS).
Given that it outlines the current status of security controls within an organisation it should also be considered confidential and protected accordingly.
Given that the Risk Assessment Report also includes a definition of controls, a common question asked is what extra value does the Statement of Applicability provide? This breaks down to four key differences:
Other than it being a mandatory document, there are three key reasons for having a Statement of Applicability.
Firstly the SOA is a core document in the audit process. As it outlines which ISO 27001 security controls have been implemented within an organisation, it is reviewed during the Stage 1 Audit, and is used as a source for controls to review in your Stage 2 audit. Put simply, it is the key document your auditor will use for planning and assessing your certification. So it’s important to ensure that it is comprehensive, accurate and well maintained.
Secondly, when well written a Statement of Applicability can reduce other documentation requirements. If a control's procedure description is brief, it can be efficiently incorporated into the SOA, saving the effort of creating a separate document. This is a significant value add, especially for smaller businesses.
And thirdly the Statement of Applicability provides a snapshot to internal stakeholders of security strategy and status. Properly written, it offers a comprehensive overview, detailing what needs to be done in information security, why it's necessary, and how it should be executed. Far from a mere formality, the SOA becomes the primary statement of intent for information security initiatives.
It is not possible to just write a Statement of Applicability from scratch. It is a core component of the overall ISO 27001 implementation process, and prior to writing an SOA there are several key and significant steps to take. You can find more details on our ISO 27001 implementation and certification page.
The writing of an Statement of Applicability should not be underestimated. Whilst a relatively short document, the decision making behind it will be relatively complex. From experience companies investing in ISO 27001 tend to spend more time on the SOA than expected as it prompts careful consideration of how controls will be implemented—decisions involving equipment purchases, procedural changes, or new hires.
As such build the necessary time into your project plan, and also ensure that you have all the necessary stakeholders engaged, as you will need their support when resources are required.