What is a Statement of Applicability?

What is a Statement of Applicability?

The Statement of Applicability (SoA) is a mandatory document in ISO 27001 that records which Annex A controls are applicable to the organization, which are not applicable, and the justification for each decision. It serves as a central reference linking the organization's risk assessment results to its selected security controls.

Why does the SoA matter?

The Statement of Applicability is one of the most important documents in an ISO 27001 ISMS. It serves multiple purposes:

• Demonstrates completeness — shows that the organization has considered every Annex A control and made deliberate decisions about each one
• Links risk to controls — connects identified risks to the controls selected to mitigate them
• Audit reference — certification auditors use the SoA as a primary reference when planning and conducting their audit
• Scope definition — helps define the boundary of the ISMS by clarifying which controls apply and which do not
• Communication tool — provides a clear summary of the organization's security control posture for management and stakeholders

What does the Statement of Applicability contain?

A well-structured Statement of Applicability typically includes the following for each Annex A control:

• Control reference number — the Annex A control identifier (e.g., A.5.1, A.8.24)
• Control description — a brief description of the control
• Applicability status — whether the control is applicable or not applicable
• Justification — the reason for inclusion or exclusion (referencing the risk assessment where relevant)
• Implementation status — whether the control is fully implemented, partially implemented, or planned
• Implementation method — how the control is implemented (policy, technical measure, process, etc.)
• Evidence reference — pointers to evidence demonstrating implementation

How do you build the SoA?

Creating the Statement of Applicability follows a logical sequence:

1. Complete the risk assessment — identify and evaluate information security risks
2. Determine risk treatment — decide how each risk will be treated
3. Select controls — choose controls to mitigate identified risks
4. Cross-reference Annex A — compare selected controls against the full Annex A list to check for gaps
5. Document applicability — record which controls apply and which do not, with justifications
6. Track implementation — document the current status of each applicable control

How do you justify excluding controls from the SoA?

It is acceptable to exclude Annex A controls from the SoA, but each exclusion must be justified. Common justifications include:

• The risk associated with the control area has been assessed and is within acceptable tolerance
• The control is not relevant to the organization's scope (e.g., physical security controls for a fully remote company with no physical offices)
• The risk is transferred through insurance or contractual arrangements

Auditors will scrutinize exclusions, so justifications should be clear, specific, and tied to the risk assessment.

How do you maintain the SoA?

The SoA is not a one-time document. It should be reviewed and updated:

• After changes to the risk assessment
• When new Annex A controls are introduced (as in the 2022 revision)
• When the organization's scope, services, or infrastructure changes
• At least annually as part of the ISMS management review

How does episki help with the SoA?

episki generates and maintains your Statement of Applicability automatically based on your risk assessment results and control mappings. As your risk profile evolves, the SoA updates accordingly. The platform provides a clear view of applicability, implementation status, and evidence for each control. Learn more on our ISO 27001 compliance page.