ISO 27001 Statement of Applicability: The Document That Defines Your ISMS

If an ISO 27001 auditor could see only one document, they'd ask for the Statement of Applicability. The SoA is where your information security management system stops being abstract and becomes a specific, justified set of decisions about what you protect and how.

What the SoA actually is

The Statement of Applicability lists every control in Annex A (93 controls in the 2022 version) and, for each one, states: whether it applies to you, the justification for including or excluding it, and its implementation status. It's the bridge between your risk assessment and your real-world controls.

Why it's the spine of the ISMS

The logic chain runs: you assess risks → you decide how to treat them (the risk treatment plan) → the controls you choose to implement are recorded, with justification, in the SoA. Exclude a control? You must justify why it doesn't apply. Include one? You say how it's implemented. Nothing hides — the SoA forces every control decision to be deliberate and defensible.

The SoA is where "we take security seriously" becomes "here are the 93 control decisions we made, and exactly why."

Building it without drowning

• Start from the risk assessment, not the control list. Controls exist to treat risks; let the risks drive inclusion.
• Justify exclusions concretely. "We don't develop software" is a valid reason to scope down secure-development controls; "too hard" is not.
• Keep status honest. "Planned" is fine if it's true and tracked; claiming "implemented" when it isn't is how certifications get suspended.
• Treat it as living. When risks or the business change, the SoA changes. A frozen SoA is a stale one.

The common mistake

Teams often write the SoA last, as paperwork, copying a template and marking everything "applicable/implemented." That inverts the logic and produces a document that doesn't match reality — which an auditor spots in minutes by sampling a few controls against actual evidence.

Questions

← All articles