What is the Statement of Applicability in ISO 27001?

Date: 19/02/2024

By: Symbiant

The Statement of Applicability (SoA) in ISO 27001 outlines controls to manage information security risks. It’s a roadmap showing ISO 27001 compliance in an organisation’s unique context. The SoA details the scope, controls, implementation status, and exclusions justification for transparency and assurance.

What is ISO 27001?

ISO 27001 is an internationally recognised standard for information security management. Additionally, it systematically manages sensitive company information, ensuring its confidentiality, integrity, and availability. Furthermore, the standard specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS) within the context of the organisation’s overall business risks.

What is a Statement of Applicability (SoA)?

One key component of ISO 27001 is the Statement of Applicability (SoA). The SoA is a document that identifies the controls an organisation has selected and implemented to manage and mitigate information security risks. It is a crucial part of the ISO 27001 certification process, demonstrating how the organisation has addressed the standard’s requirements.

The SoA typically includes the following elements:

  1. Scope: Defines the boundaries of the ISMS and specifies the organisational units, business processes, and assets covered by the certification.
  2. List of Controls: Identifies the specific controls from Annex A of the ISO 27001 standard that apply to the organisation. These controls cover various aspects of information security, such as access control, cryptography, physical and environmental protection, and supplier relationships.
  3. Justification for Exclusions: If the organisation decides not to implement specific controls or parts of controls, the SoA should justify these exclusions.
  4. Implementation Status: The organisation indicates the implementation status of each control. Specifying whether it has been fully implemented, partially implemented, or not yet implemented, and includes any associated implementation details or notes.
  5. Control Objectives and Controls: It describes how each control is implemented within the organisation’s context and outlines its objectives.
  6. Supporting Documentation: References any documents or procedures supporting the controls’ implementation.

Symbiant's Risk Controls and Policies Module

Our Risk Controls and Policies Module facilitates individual users and teams working together to address and manage risks effectively. It streamlines compliance with ISO27001 standards and simplifies the creation of the Statement of Applicability with a single click, aiding in meeting certification requirements efficiently.


Overall, the Statement of Applicability plays a vital role in demonstrating an organisation’s commitment to information security and compliance with the ISO 27001 standard. It provides transparency and assurance to stakeholders, customers, and partners regarding the effectiveness of the organisation’s information security management practices.

You can read more about ISO 27001 and the Statement of Applicability here: 

IT Governance Blog