What is the Statement of Applicability (SoA) in ISOIEC 27001

18-Jun-2026

Maria Thompson

When organisations work toward information security certification, they mainly focus on risk assessments and control implementation. In doing so, one critical document is overlooked: the ISO 27001 Statement of Applicability. It acts as the control map of your Information Security Management System (ISMS), showing which security controls are selected, excluded, and why. This gives a transparent record of how security decisions were evaluated and applied.

It serves as a justification record, a link between risk treatment and controls, and a strong audit reference point. When written well, it makes compliance simpler, audits smoother, and security decisions more transparent. In this blog, you will learn about ISO 27001 Statement of Applicability, its importance, how to write one, and more!

What is ISO 27001 Statement of Applicability?

The ISO 27001 Statement of Applicability (SoA) shows which security controls and related policies an organisation has chosen to apply to protect its information assets and information processing facilities. It explains what controls are in scope, what controls are excluded, and the reasons behind every decision, based on the organisation’s risk assessment and risk treatment process.

The Statement of Applicability is created by mapping the organisation’s selected controls against the Annexe A control set in the ISO 27001 standard. It links identified risks to the controls chosen for risk treatment. The Statement of Applicability is required under clause 6.1.3 of ISO 27001, which covers security risk treatment actions.

Why is the ISO 27001 Statement of Applicability Important?

The ISO 27001 Statement of Applicability plays a central role in showing how an organisation turns risk assessment results into practical security controls. Let’s explore the reasons why it is considered essential below:



1) Shows Risk-based Decision-making

The ISO 27001 Statement of Applicability demonstrates that security controls are selected through a structured risk assessment and risk treatment process. Organisations map each chosen control to identified risks and their specific operating context.

2) Encourages Transparency and Accountability

The ISO 27001 Statement of Applicability explains why certain controls are implemented and why others are excluded. This gives stakeholders, leadership, and auditors full visibility into security choices and creates accountability for decisions.

3) Supports Certification and Audits

The ISO 27001 Statement of Applicability is one of the first documents auditors ask for during certification and surveillance audits. It helps verify compliance with ISO/IEC 27001 and validates that the ISMS controls framework is properly designed.

4) Acts as a Useful Reference

The ISO 27001 Statement of Applicability acts as a practical reference for management, employees, and external partners. It provides a structured overview of the organisation’s security control framework and supports a consistent understanding across teams.

Gain clear, practical basics to start your ISO 27001 journey today with ISO 27001 Foundation Training – Join now!


How to Write an ISO 27001 Statement of Applicability (SoA)?

Writing an effective ISO 27001 Statement of Applicability involves demonstrating clear, risk-based control selection, justified exclusions, and documented treatment decisions. Let’s explore the steps to create one below:




1) Understand the Requirements

Begin by reviewing the ISO/IEC 27001 requirements for risk assessment and risk treatment, especially Clause 6.1.3 and Annexe A controls. A solid and comprehensive understanding of SoA helps to create a complete, well-structured document aligned with certification expectations.

2) Perform a Comprehensive Risk Assessment

Before drafting the ISO 27001 Statement of Applicability, carry out a formal risk assessment. Identify information security risks, threats, vulnerabilities, and potential impacts on your organisation. The SoA must be grounded on real risk findings, not assumptions.

3) Define Your Risk Management Strategy

Next, determine how each identified risk will be treated. Document the protective measures you plan to implement, such as encryption, access controls, monitoring, or policies. This step creates a clear link between risk assessment results and control selection.

4) Identify and Select Applicable Security Controls

Map your risk and treatment decisions against the Annexe A controls and select the controls that are relevant to your environment. Every organisation has a different risk profile, so the selection must reflect the size, industry, technology, and operations. For example, organisations with warehouses may include more physical security controls than fully remote businesses.

5) Prepare and Finalise the Statement of Applicability

Compile the ISO 27001 Statement of Applicability using your risk assessment results and selected controls. For each Annex A control, provide clear justification for inclusion or exclusion, link it to the relevant risks, and state its implementation status along with supporting policies. This step ensures the SoA is complete and audit ready.

6) Plan Annual Updates

ISO 27001 Statement of Applicability must not remain static. Plan annual reviews or earlier, if there are major business, technology, or regulatory changes. Regular updates keep control relevance, ownership, and implementation status accurate and make audits smoother.

Audit with confidence and lead to perform effective ISMS audits with ISO 27001 Internal Auditor Training now!

How Many Controls are There in ISO 27001?

ISO/IEC 27001: 2022 Annexe A contains 93 security controls. These controls are reorganised into four modern control groups. This structure makes control selection clearer and helps organisations align controls with risks and business context when preparing the Statement of Applicability. Let's look at each group below:


1) Organisational Controls (37 Controls)

This control group focuses on how information security is governed, managed, and monitored at an organisational level. It brings together risk, compliance, supplier, and operational security controls in a centralised and unified governance layer.

What it Covers:

1) Governance and policy-level security controls.

2) Risk management and operational security practices.

3) Supplier and third-party security requirements.

4) Legal, regulatory, and contractual compliance controls.

Why This Group Was Merged and Updated:

A) To simplify compliance and risk oversight activities.

B) To merge previously scattered compliance and governance controls.

C) Reflects modern security governance practices.

Examples of Key Controls:

1) A.5.7: Threat Intelligence supports ongoing threat monitoring and intelligence use.

2) A.5.21: Information Security Incident Management unifies incident response controls.

2) People-focused Security Controls (8 controls)

In this control group, the human side of information security is addressed. It focuses on reducing risks caused by user behaviour, lack of awareness, or poor personnel practices across an organisation’s employees and contractors.

What it Covers:

1) Personnel screening and background checks.

2) Security awareness, education, and training.

3) User responsibilities and acceptable behaviour.

4) Contractor and third-party people risk.

Why This Group Was Merged and Updated:

1) To recognise that human error is a major breach cause.

2) To bring workforce-related controls into one place.

3) To support continuous and role-based awareness training.

4) To reflect the modern workforce and contractor models.

Examples of Key Controls:

1) A.6.3: Security awareness, education, and training to strengthen continuous awareness programmes.

2) A.6.1: Screening expands checks to contracts and third parties.

3) Physical and Environmental Protection Controls (14 Controls)

In this control group, the focus is on protecting physical locations, equipment, and devices that store or process information. It reflects both traditional facility security and newer hybrid working realities.

What it Covers:

1) Facility and site access protection.

2) Secure areas and equipment safeguards.

3) Device and asset protection measures.

4) Environmental and physical monitoring controls.

Why This Group Was Merged and Updated:

1) To streamline overlapping facility security controls.

2) To address hybrid and remote working risks.

3) To add relevance for Internet of Things (IoT) and smart building environments.

4) To modernise physical monitoring expectations.

Examples of Key Controls:

1) A.7.4: Physical Security Monitoring that includes cameras and smart monitoring.

2) A.7.5: Working in Secure Areas that include remote and hybrid work considerations.

4) Technological and System Security Controls (34 Controls)

In this control group, technical safeguards across IT systems, networks, applications, and data are covered. It is heavily updated to reflect cloud, Software as a Service (SaaS), modern attack methods, and secure development needs.

What it Covers:

1) IT infrastructure and network security.

2) Access control and cryptographic safeguards.

3) Application and cloud security controls.

4) Data protection and secure development practices.

Why This Group Was Merged and Updated:

1) To respond to modern cyber threat patterns.

2) To expand cloud and SaaS security coverage.

3) To strengthen privacy and data protection controls.

4) To improve secure coding and configuration practices.

Examples of Key Controls:

1) A.8.11: Data Masking to protect sensitive and personal data.

2) A.8.12: Data Leakage Prevention to prevent unauthorised data transfer.

Design and deploy ISO 27001 controls with ISO 27001 Lead Implementer Training – Join today!

Common Challenges in Developing the Statement of Applicability

The ISO 27001 Statement of Applicability is a high-value document, yet many organisations find it challenging to prepare and maintain it properly. Let’s look at some of the challenges organisations face below:

1) Misinterpreting Control Requirements: Teams sometimes misunderstand Annexe A controls or apply them too broadly, leading to incorrect applicability decisions and weak mappings to risks.

2) Generic Justifications: A common issue is using vague reasons without enough supporting evidence. Audits expect clear risk-based justification for both included and excluded controls.

3) Poor Risk-to-control Mapping: If the SoA is not clearly linked to the risk assessment and treatment plans, it becomes inconsistent. This weakens the audit defensibility.

4) Lack of Regular Updates: Organisations create the SoA but rarely visit it. As technology, processes, or threats change, an outdated SoA becomes misaligned with the risk profile.

5) Limited Stakeholder Involvement: Creating a strong SoA requires input from risk owners, IT, security, legal, and business leaders. Without stakeholder engagement, decisions may be incomplete or impractical.

Tips for Developing an Effective Statement of Applicability

An effective Statement of Applicability must show how your organisation selects controls, treats risk, and manages information security in practice. Let's look at some practical tips for writing a strong SoA below:





1) Base it on Risk Assessment: Build the SoA directly from your risk assessment and risk treatment results. Each selected or excluded control must be linked to identified risks and treatment choices.

2) Be Clear and Context-specific: Avoid generic justifications in your SoA. Explanations should reflect your organisation’s actual environment, operations, and risk context.

3) Keep it Current and Relevant: Review and update the SoA regularly as risks, technologies, and processes change. Ongoing updates keep the document accurate, relevant, and audit ready.

4) Use it Beyond Compliance: Treat the SoA as a management tool. It should support decision-making, control oversight, and security governance across the organisation.

Conclusion

The ISO 27001 Statement of Applicability is the bridge between risk assessment, control selection, and real-world security practice. When developed carefully and kept up to date, it strengthens audit readiness, improves transparency, and supports better security decisions. Treating the SoA as a living, risk-driven control map is useful for turning compliance into a practical and measurable protection process.

Build, manage, and improve an ISMS with ISO 27001 Training today!

FAQs

Frequently Asked Questions

No FAQs available for this blog.

white-cross

ISO - Get A Quote

red-star Who Will Be Funding The Course?

red-star
red-star
+44
red-star

Preferred Contact Method