ISO 27001 statement of applicability explained

ISO 27001 statement of applicability

Published on

Bob Nicolson | Head of Consultancy

What is the ISO 27001 Statement of Applicability?

As a mandatory document (ISO 27001 Clause 6.1.3 d) for ISO 27001 certification, the Statement of Applicability (SOA) is a key bridge between the outcomes of the risk assessment and the risk treatment plan, and the implementation of information security controls within an organisation.

There are several mandatory components:

  • a statement of which controls from ISO 27001 Annex A and other external sources will be applied
  • justification for the inclusion of the applicable controls
  • an explanation for the exclusion of any controls from Annex A that are not applicable
  • a description of the current implementation status of the applicable controls

This makes the SOA a core document within the Information Security Management System (ISMS). 

Given that it outlines the current status of security controls within an organisation it should also be considered confidential and protected accordingly.

What extra value does the Statement of Applicability add?

Given that the Risk Assessment Report also includes a definition of controls, a common question asked is what extra value does the Statement of Applicability provide?  This breaks down to four key differences:

  • In the Risk Treatment Plan controls are chosen to address identified risks; the SOA extends this to include controls mandated from other sources such as laws, regulation, and third party contracts.
  • The Risk Assessment Report only justifies which controls to select. The SOA importantly adds the justification of which Annex A controls to exclude.
  • Risk Assessment Reports can be lengthy, while the SOA is concise, making it more practical and easier to keep up to date.
  • Risk Assessment Reports do not include implementation status. The SOA documents the implementation status of controls, making it a key reference document for management review and certification audit.

What purpose does the Statement of Applicability serve?

Other than it being a mandatory document, there are three key reasons for having a Statement of Applicability.

Firstly the SOA is a core document in the audit process.  As it outlines which ISO 27001 security controls have been implemented within an organisation, it is reviewed during the Stage 1 Audit, and is used as a source for controls to review in your Stage 2 audit.  Put simply, it is the key document your auditor will use for planning and assessing your certification.  So it’s important to ensure that it is comprehensive, accurate and well maintained.

Secondly, when well written a Statement of Applicability can reduce other documentation requirements.  If a control's procedure description is brief, it can be efficiently incorporated into the SOA, saving the effort of creating a separate document.  This is a significant value add, especially for smaller businesses.

And thirdly the Statement of Applicability provides a snapshot to internal stakeholders of security strategy and status. Properly written, it offers a comprehensive overview, detailing what needs to be done in information security, why it's necessary, and how it should be executed. Far from a mere formality, the SOA becomes the primary statement of intent for information security initiatives.

How to write a Statement of Applicability

It is not possible to just write a Statement of Applicability from scratch.  It is a core component of the overall ISO 27001 implementation process, and prior to writing an SOA there are several key and significant steps to take. You can find more details on our ISO 27001 implementation and certification page.

Final thoughts

The writing of an Statement of Applicability should not be underestimated.  Whilst a relatively short document, the decision making behind it will be relatively complex. From experience companies investing in ISO 27001 tend to spend more time on the SOA than expected as it prompts careful consideration of how controls will be implemented—decisions involving equipment purchases, procedural changes, or new hires.

As such build the necessary time into your project plan, and also ensure that you have all the necessary stakeholders engaged, as you will need their support when resources are required.

Published on

Bob Nicolson | Head of Consultancy