Statement of Applicability (also known as SoA) is one of the mandatory documents for ISO 27001 certification. In a nutshell, SoA explains which security controls (out of current total 93) from ISO 27001 standard are relevant for your organization, have you already implemented them and how you've done that.
Too often SoA is seen as a static document, although it should play an active role in compliance, continuous improvement and monitoring your overall ISO 27001 progress.
In this blog, we'll cover the main purpose and benefits of a well-working SoA document. We'll also explain it's main roles in good information security management that's based on ISO 27001.
Statement of Applicability explains which security controls from the Annex A listing in ISO 27001 standard are relevant for your organization, have you already implemented them and how you've done that.
In a typical SoA document, you would list all the 93 controls of ISO 27001:2022 (often in an Excel file) and display the following things for each:
It is vital to understand, that the control listing in ISO 27001 has been carefully built by industry experts and battle-tested over the years by hundreds of thousands of organizations. For this reason, you really can’t justify some fundamental controls as non-applicable and need strong reasonings for any controls that you’ve decided not to implement.
Also for the reason described above, most SoA documents from certified organizations look mostly green (i.e. the control has been implemented) with potentially a couple of controls defined non-applicable. But even in these cases, there can be a lot of variance in the depth of implementing each of the applicable controls.
A smart SoA document can pull in more implementation information from your ISMS, so you can use the SoA also as a tool to monitor the implementation and strenght of implementing each control directly from the SoA.
Key purposes of SoA include:
Below, we’ll explore four key roles that a well-structured SoA document plays in effective information security management. Understanding these roles helps organizations implement security controls efficiently while ensuring compliance with regulatory and business requirements.
SoA shouldn’t be just a list of controls and links to static policies that talk about these controls. It should be a live reference for security governance.
When creating the SoA through an ISMS tool, you can track your compliance score improvement and the level of assurance you have for score being accurate. This basically means, how strongly you have implemented relevant controls and how much detail there is in the ISMS to back this implementation status up (these details are e.g. named owners, done reviews, linked technologies, linked records or other related evidence demonstrating the implementation).
Whether carrying out an internal or external audit based on ISO 27001, SoA will be your main go-to document. Auditors rely on SoA to see your security measures with the ISO 27001 structure.
Your internal auditors can do the same and audit your own security practices with the help of SoA, ensuring at the same time that audits can be split in smaller parts and still have demonstrateable coverage of the full standard.
If your SoA includes also enough information about the control implementation, your internal audits can focus on the first level to investigating whether the details found on SoA level are actually operational.
SoA will also help management reviews – giving the top management the overview of our current ISO 27001 control implementation, before diving into more details.
ISO 27001 standard can’t provide you exact details on implementing each control. There’s lots of room for implementing some controls with a lighter approach and going deeper on some controls – the ones you see the biggest risks related to.
A smart SoA document can be used to guide your thinking on strenghtening control implementation. You can understand which controls are already implemented very strongly, and in which you might have easy hardening actions available.
Significant changes on either your operations or your threat environment should also be visible as improvements on your control implementation.
Statement of Applicability is also one of the most popular documents your customers or other stakeholders might want to see. As any ISO 27001 certified organization is well familiar with the SoA, they might want to see your version.
SoA is one of the documents some organizations provide available for their stakeholders by request. This can be done e.g. on your website’s /security page or e.g. in a ISMS app’s trust center page, which can provide an “by-request” link to your most recently published live SoA.
To summarize, a properly utilized Statement of Applicability document will help you drive ongoing security and compliance efforts. It is mandatory for certification and a key document for anyone wishing to improve their ISO 27001 compliance.
If you’re running your information security in a proper ISMS tool, you won’t need to do any extra work for gathering together the SoA document – all the needed info should be always available in your ISMS! In this case, the SoA is the key report of your ISMS, giving the overview from the ISO 27001 and control implementation perspective.
.png)
