Your Statement of Applicability for ISO 27001, otherwise known as your SoA, is a mandatory step for anyone planning on pursuing ISO 27001 certification. It acts like a summary of your ISO 27001 controls. 

Let’s take a look at everything you need to know before starting your SoA. 

What is the Statement of Applicability in ISO 27001?

Unlike SOC 2, ISO 27001 comes with a standard set of controls. They are the Annex A controls. There’s 93 of them in the updated ISO 27001:2022.  Your SoA outlines which of the standard  Annex A ISO 27001 controls apply to your organization. It’s really an overview of the details and reasoning behind your applicable and not applicable controls.

To meet ISO 27001 requirements your SoA must include the following for each control:

• Control title and description 
• Whether control is applicable to your business or not 
• Justification for applicability or non-applicability

The following are recommended, but not required:

• Whether the control is currently implemented or not 
• Risk covered by the specific control

Your SoA cannot skip any of the controls, even the ones that don’t apply to you.

"If any of the Annex A controls are absent from your SoA you will get a non-conformity (meaning you won’t pass your audit). Your justifications for why each control is applicable or not doesn’t have to be paragraphs long. But, it should show your auditor that you and your senior leadership have thought about your business’s unique risks and how to cover them."

— Jitendra Juthani, OneTrust Certification Automation Director of InfoSec Risk and Compliance

What about mandatory clauses?

You do not have to include the mandatory clauses (clause 4 – 10) in your SoA. Your SoA only speaks to controls that are not mandatory, the Annex A controls.

Why Is the SoA so important for your ISO 27001 audit?

Generally, the Statement of Applicability is important because it provides the scope of your ISO 27001 project for your auditor.

Also, your auditor will use your SoA to determine whether or not you will be certified for ISO 27001 when it comes time for your actual audit. It will be like your auditor’s “cheat sheet.”

The final version of your SoA will be included in your ISO 27001 certification document at the end of your audit.

How to start your Statement of Applicability

So, let’s start on this critical document. Your Statement of Applicability fits into the broader task in your ISO 27001 project called scoping.

Some ISO 27001 compliance software providers do scoping in an onboarding interview. 

Regardless of how you decide to prepare for your ISO 27001 audit, it’s important to start thinking about questions like:

• Does your physical office have access points such as delivery and loading areas? 
• Do you collect any personally identifiable information (PII)? 
• Does your company outsource any development activities? 
• Do you use any vendors or suppliers to deliver your services or products? 
• Does your organization maintain any removable storage media that contains sensitive information?

You can determine the risks associated with your business based on the answers to questions like these. Along with what controls are needed to mitigate them. For example, Control A.11.1.6, is concerned with delivery and loading areas. If your business doesn’t have a delivery or loading area, then this control is not applicable to you.

5 preliminary steps for anyone planning on pursuing ISO 27001

You should know that compliance software will automate the steps below for you. Once you have completed your scoping questionnaire a certification automation platform will automatically:

• Generate a list of which Annex A controls are applicable to your business, those that are not, and recommendations for written justifications for all controls. 
• Monitor your controls’ real-time implementation status, track approvals and connect your readiness project and risk assessment.

Working at this on your own? Here is how you start:

1. Create a spreadsheet that contains all of the ISO 27001 controls.
2. Mark which controls are applicable vs. not applicable along with justification.
3. Identify whether the applicable controls have already been implemented or not. (Expert quick tip: ISO 27001 auditors will look for a description of how each applicable control is implemented and reference to the document, policy, or procedure that is used to mitigate risk as a best practice).
4. Get a member of your senior management team to review and approve your SoA (this is mandatory and there must be evidence of this on the SoA document). You now have draft 1 of your SoA.
5. If anything changes within the scope of your ISO 27001 project, be sure to update your SoA.

How you keep track of your documentation and manage version control are big priorities of the entire ISO 27001 process. That is why you must note any changes to your SoA and keep all previous versions of the document. Update your SoA at any point, there are no version limitations; however, the auditor needs to know which version you want to submit for your certification process in your audit.

Statement of Applicability vs. Risk Assessment Report

If you have already looked into ISO 27001, you may be asking yourself “isn’t this the same as the risk assessment report?” Or “why is the SoA mandatory when the Risk Assessment Report already defines my necessary controls?”

First, controls that are purely based on risks that need to be mitigated are included in the Risk Assessment Report. However, your SoA identifies controls that are required for other reasons beyond risk.

Some reasons could include the specific laws of your region, contractual requirements with vendors, or other business operations processes. Your SoA includes justifications for controls from other sources beyond risk and Annex A. 

The SoA further acts as a concise summary of your controls. It is fairly short and organized with a row for each control. This makes it easy to present to your management or security team and update whenever necessary.

Whereas, the Risk Assessment Report can be very long and more detailed (some organizations may identify more than 100 risks). It isn’t very practical for everyday operations or for your ISO 27001 certification document.

Learn more about building out an InfoSec program and gaining compliance with a well-known framework by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.