blog-hero-background-image
Governance & Compliance

What's the ISO 27001 Statement of Applicability?

Gowsika Vadivel
6 May 2025
8 mins read
backdrop
Table of Contents

Join thousands of professionals and get the latest insight on Compliance & Cybersecurity.


You've been tasked with achieving ISO 27001 certification for your organization, and you keep hearing about the "Statement of Applicability" or SoA. But what exactly is this document, and why does it matter so much in your certification journey?

The Statement of Applicability is often described as the cornerstone of ISO 27001 certification - a critical document that bridges the gap between your risk assessment and the actual implementation of security controls. Without a properly prepared SoA, your certification efforts may hit a roadblock, leaving your organization vulnerable to security gaps and compliance issues.

In this article, we'll demystify the Statement of Applicability, explain its importance, outline how to create one, and highlight the key differences between the 2013 and 2022 versions of ISO 27001 that impact your SoA.

What is the Statement of Applicability?

The Statement of Applicability (SoA) is a mandatory document required for ISO 27001 certification that serves as a benchmark against the controls listed in Annex A of the ISO 27001 standard. It clearly documents which security controls your organization has implemented, which ones you've excluded, and the justification for these decisions.

Think of the SoA as both a roadmap and a declaration of your organization's information security posture. It connects your risk assessment findings to your chosen controls, creating a clear picture of how you're addressing identified risks.

The SoA serves several critical functions:

  • It acts as a reference document for auditors during internal, certification, and surveillance audits
  • It provides a comprehensive overview of all implemented controls and the rationale behind any exclusions
  • It builds confidence among stakeholders (clients, partners, regulators) that your organization takes data protection seriously
  • It helps your organization maintain compliance with the ISO 27001 standard over time

As one information security professional on Reddit commented, "The SoA is often the first document auditors ask for because it provides a snapshot of your entire Information Security Management System (ISMS)."

Key Requirements for an Effective SoA

For your Statement of Applicability to be effective and compliant with ISO 27001, it must include:

  1. A Comprehensive List of Controls: Your SoA must enumerate all controls from Annex A (currently 93 controls in the 2022 version, down from 114 in the 2013 version) and clearly indicate whether each one is implemented or not.
  2. Clear Justification: For every control—whether implemented or excluded—you must provide a clear explanation for your decision. These justifications should be linked to your risk assessment findings or other business requirements.
  3. Management Approval: The SoA should be reviewed and approved by your organization's management to ensure its validation and confidentiality. This demonstrates senior leadership's commitment to information security governance.
  4. Regular Updates: The SoA isn't a "set it and forget it" document. It needs to be regularly reviewed and updated to reflect changes in your organization, emerging risks, and ongoing risk assessments.

How to Create the ISO 27001 Statement of Applicability in 5 Steps

Creating a compliant and effective Statement of Applicability doesn't have to be overwhelming if you follow a structured approach. Here's how to develop your SoA in five manageable steps:

Step 1: Understand the Requirements

Before diving into creating your SoA, you need to thoroughly understand ISO 27001 and its related controls in ISO 27002. This means:

  • Familiarizing yourself with the structure and requirements of the standard
  • Understanding the control objectives and implementation guidance
  • Identifying which version of the standard you're working with (2013 or 2022)

"The ISO 27001 describes a way of implementing an information security management system and all the parts you need for it. In reality, the ISO itself is (without experience) not enough to fulfill that task," notes a cybersecurity professional on Reddit. This highlights the importance of gaining proper understanding before proceeding.

Step 2: Conduct a Risk Assessment

A thorough risk assessment is the foundation of your SoA. During this process:

  • Identify your organization's information assets
  • Evaluate potential security threats and vulnerabilities
  • Assess risks based on likelihood and impact
  • Determine which risks need to be addressed

Your risk assessment findings will directly inform which controls you implement and which you exclude, so this step is crucial for creating a meaningful SoA.

Step 3: Determine Your Risk Management Strategy

Once you've identified and evaluated risks, you need to decide how to manage them:

  • Will you implement controls to mitigate the risk?
  • Will you transfer the risk (e.g., through insurance)?
  • Will you accept the risk as is?
  • Will you avoid the risk by eliminating the associated activity?

These decisions will guide your selection of controls in the next step.

Step 4: Select Applicable Controls

Now it's time to determine which of the Annex A controls apply to your organization. For each control, you'll need to decide:

  • Is this control applicable to our organization?
  • If applicable, how will we implement it?
  • If not applicable, why not?

Remember that control selection should be based on:

  • Your risk treatment plans
  • Business objectives and requirements
  • Legal, regulatory, and contractual obligations
  • Industry standards and best practices

Step 5: Document Your SoA

Finally, create a comprehensive document that includes:

  • A list of all Annex A controls
  • For each control: applicability status, implementation status, and justification
  • References to supporting documentation or evidence
  • Management approval and sign-off

Many organizations use a spreadsheet format for their SoA, with columns for control ID, description, applicability, justification, and implementation status. This format makes the document easy to navigate and update.

The Transparency Challenge: Sharing Your SoA

One common challenge with ISO 27001 certification revolves around transparency. As one Reddit user noted, "We have ISO 27001 certification and we will absolutely not share the audit report. We will discuss current non-conformances."

This highlights a widespread issue: many certified organizations are reluctant to share detailed audit information, even with business partners under NDA. However, another user countered: "If they refuse to share the report while you have a valid NDA that covers it, that's a red flag and grounds for ceasing any existing relationships."

The Statement of Applicability offers a potential middle ground. While organizations may be hesitant to share full audit reports, sharing the SoA (or a redacted version) can provide partners with valuable insights into your security controls without exposing sensitive details about implementation or non-conformities.

ISO 27001:2022 vs ISO 27001:2013: What's Changed?

In 2022, the International Organization for Standardization (ISO) released an updated version of ISO 27001. This update has significant implications for the Statement of Applicability, as it reorganizes and modernizes the control structure.

Key Differences Between Versions

1. Reduced and Reorganized Controls

The most noticeable change is the reduction and reorganization of controls:

  • ISO 27001:2013 featured 114 controls organized into 14 domains (A.5 through A.18)
  • ISO 27001:2022 contains 93 controls consolidated into just 4 themes:
    • Organizational controls (37 controls)
    • People controls (8 controls)
    • Physical controls (14 controls)
    • Technological controls (34 controls)

As one information security professional commented on Reddit, "IMHO, ISO took way too long to do this update. I've seen more and more organizations shifting to NIST CSF." This highlights how the 2022 update was a necessary modernization of the standard.

2. New Control Structure

The 2022 version introduces a new structure for each control:

  • Control ID and name
  • Attribute table (defining properties like control type and information security properties)
  • Purpose (what the control aims to achieve)
  • Guidance (how to implement the control)

This streamlined approach makes it easier to understand the intent behind each control and how it contributes to your overall security posture.

3. Modern Cybersecurity Focus

ISO 27001:2022 includes new controls addressing current cyber threats and technology use cases, such as:

  • Threat intelligence
  • Cloud services security
  • Configuration management
  • Information deletion
  • Data leakage prevention
  • Monitoring activities
  • Web filtering

Impact on Your Statement of Applicability

If you're transitioning from ISO 27001:2013 to ISO 27001:2022, you'll need to:

  1. Map existing controls to the new structure
  2. Identify gaps where new controls might be needed
  3. Update your SoA to reflect the new control organization
  4. Review exclusions to ensure they're still appropriate under the new framework

Organizations certified under the 2013 version typically have a three-year transition period to update their certification to the 2022 version.

Conclusion: The SoA is More Than Just Compliance

The Statement of Applicability is not merely a compliance document—it's a vital tool that reflects your organization's approach to managing information security risks. A well-crafted SoA:

  • Demonstrates your security posture to stakeholders
  • Guides your implementation of security controls
  • Facilitates communication with auditors
  • Helps maintain compliance over time

As one Reddit user aptly noted about ISO certification processes, "Too many companies think they can do it by themselves, but I always recommend reaching out to an expert." This advice applies particularly to creating a robust Statement of Applicability, where expert guidance can help navigate the complexities of control selection and justification.

By thoroughly understanding and properly preparing your Statement of Applicability, you're not just checking a box for certification—you're building a stronger security foundation for your organization. Whether you're working with the 2013 or 2022 version of the standard, a comprehensive SoA helps ensure that your information security management system effectively addresses your unique risk landscape.

Remember that transparency builds trust. Consider how you can utilize your SoA as a communication tool with stakeholders while still protecting sensitive information. In an era where security concerns are paramount, demonstrating your commitment to information security through a well-documented SoA can be a significant competitive advantage.

Additional Resources

For organizations embarking on their ISO 27001 certification journey, these resources may be helpful:

Error: Contact form not found.

toaster icon

Thank you for reaching out to us!

We will get back to you soon.