What is a Statement of Applicability (SoA) in ISO 27001?

A Statement of Applicability (SoA) is a critical document required for ISO 27001 certification. It lists which information security controls, as outlined in ISO 27001 Annex A, are applicable to your organization's Information Security Management System (ISMS).

In simple terms, the SoA serves as the "map" between your risks and your security measures, and it is one of the first things an ISO 27001 auditor will ask to see.

Remote-First Audits

Streamlined Communication

Expert Auditors

The SoA connects your risk assessment with your risk treatment plan by identifying the controls you have implemented to mitigate the identified risks, the controls that are not applicable, and the justifications for both.

Why Is the Statement of Applicability Important?

Certification Requirement: A mandatory document for achieving ISO 27001 certification.

  • Audit Focus: Auditors heavily scrutinize your SoA to verify your ISMS implementation.

  • Risk Management: Shows how your chosen controls effectively address your risk profile.

  • Transparency: Provides internal and external stakeholders with a clear understanding of your security measures.

  • Recordkeeping: Acts as an ongoing reference document for future surveillance and re-certification audits.

What Should Be Included in a Statement of Applicability?

A well-prepared SoA typically includes:

  • List of Controls: All 114 controls from ISO 27001 Annex A.

  • Applicability: Whether each control is applicable to your organization.

  • Justification: Reason why each control is included or excluded.

  • Implementation Status: Whether each control has been implemented, partially implemented, or not yet implemented.

  • Additional Controls: Any extra controls you have adopted beyond those in Annex A.

Tempo’s audit processes are built with your tech-stack in mind - with auditors trained-up with the tools you use

Want a statement of applicability example? Get a free downloadable template or PDF here

How to Write Your Statement of Applicability

  1. Start with your Risk Assessment: Understand the specific risks your organization faces.

  2. Review ISO 27001 Annex A Controls: Determine applicability based on risk treatment needs.

  3. Document Justifications: Clearly explain why each control is or isn't applicable.

  4. Track Implementation Status: Update the SoA as you roll out or improve controls.

  5. Review Regularly: The SoA must be updated over time — especially before audits.

Common Mistakes to Avoid When Preparing Your SoA

Missing Justifications: Always justify inclusions and exclusions.

  • Ignoring Implementation Status: Auditors expect current, honest reporting.

  • Treating It As "One and Done": The SoA should evolve as your ISMS matures.

  • Poor Linkage to Risk Assessment: Controls must tie directly to identified risks.

The Statement of Applicability isn't just a "tick-box" exercise — it's the heart of your ISMS. It shows how thoughtfully you manage risks and protect your organization.

When done right, your SoA not only satisfies ISO auditors but also strengthens your overall cybersecurity posture.

Get a Quote

Book a call below, and we’ll provide a quote without any forms being filled out.

Alternatively, if you have all the details, fill out this form here.