A black and white drawing of a rock formation.

ISO 27001 is an international standard for securing your data and documenting your information security management system (ISMS). The process for ISO 27001 certification includes several steps and stages, one of which is preparing a Statement of Applicability.

In this article, we’ll cover what an ISO 27001 Statement of Applicability is and how to create one ahead of your ISO 27001 audit. 

What is the Statement of Applicability for ISO 27001?

The Statement of Applicability, often called SoA, is one of the required documents you’ll need to prepare for your ISO 27001 auditor ahead of your audit. Within the ISO 27001 framework, there are two parts: a set of clauses that provide requirements you must meet to be ISO 27001 compliant and an annex of specific controls you can implement to meet those requirements. Not all of these controls will be applicable to your organization and therefore don’t need to be implemented. Your Statement of Applicability is a document that explains which controls are and aren’t relevant to your organization and why.

Steps to create Statement of Applicability.
Steps to create Statement of Applicability.

Why is the Statement of Applicability important?

Your Statement of Applicability is a prerequisite for your ISO 27001 audit, as it gives your auditor a detailed account of the controls you’ve implemented, the controls you’ve omitted, and why you made this decision for each control. This document will serve as your auditor’s guide as they audit your ISMS and allows you to provide context about the choices you’ve made for your system.

Your Statement of Applicability doesn’t just benefit your auditor — it also benefits your organization. The process of creating your SoA acts as a forcing function for you to think about each ISO 27001 control and requirement, how to implement it or if it’s necessary. You and your team can use this document internally as a reference as you strengthen and modify your ISMS over time.

{{cta_withimage2="/cta-modules"}}

What should an ISO 27001 Statement of Applicability include?

Your Statement of Applicability should cover all 114 controls listed in ISO 27001 Annex A and provide an explanation of whether or not that control was implemented and how. You need to include a detailed spreadsheet-like table in your SoA that includes:

  • The full list of the Annex A controls along with the code for where they are located in the annex. (Example: A5, A12.1)
  • An explanation of why you chose to implement each control or why you chose to omit it.
  • A brief explanation of how you implemented each control you chose to include.
  • A reference to where each control you’ve implemented can be found in your ISMS.

How to create a Statement of Applicability

To create a SoA, follow these steps:

  1. Build base knowledge: Understand the clauses in ISO 27001 and the controls in Annex A since these will be the foundation for your SoA.
  2. Conduct a risk assessment: The aim of the Statement of Applicability is to determine and document which controls are necessary for your organization. These decisions should be driven by the information security risks your organization faces.
  3. Complete a risk treatment plan: After you’ve identified the risks, create a plan that uses Annex A controls to address those risks.
  4. Create the structure of your SoA: Create a table that will become the structure of your Statement of Applicability that includes columns for the Annex A control, inclusion or exclusion of the control, reason for including/excluding the control, how the control was implemented, where the auditor can reference the control in your ISMS.
  5. Identify appropriate controls: Review each control in Annex A and notate which ones you included and which ones you excluded. Look for any controls you may have missed during your implementation.
  6. Complete your SoA report: Fill in the table in your SoA, analyzing each Annex A control and providing all the necessary details in each row.

These steps will allow you to create a thorough Statement of Applicability to help you pass your ISO 27001 audit, receive your certification, and help you build a strong and secure ISMS.

Get ISO 27001 certified faster with Vanta

With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like: 

  • Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
  • Assess your risk holistically from one unified view.
  • Identify areas of non-compliance with in-platform notifications.
  • Get a checklist of actions to help you make the needed changes. 
  • Automate evidence collection and centralize all your documents in one place.
  • Find a Vanta-vetted auditor within the platform. 
  • Complete your ISO 27001 certification in half the time. 

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo.

{{cta_testimonial4="/cta-modules"}}

Preparing for an ISO 27001 audit

ISO 27001 Statement of Applicability (SoA)

A black and white drawing of a rock formation.

ISO 27001 is an international standard for securing your data and documenting your information security management system (ISMS). The process for ISO 27001 certification includes several steps and stages, one of which is preparing a Statement of Applicability.

In this article, we’ll cover what an ISO 27001 Statement of Applicability is and how to create one ahead of your ISO 27001 audit. 

What is the Statement of Applicability for ISO 27001?

The Statement of Applicability, often called SoA, is one of the required documents you’ll need to prepare for your ISO 27001 auditor ahead of your audit. Within the ISO 27001 framework, there are two parts: a set of clauses that provide requirements you must meet to be ISO 27001 compliant and an annex of specific controls you can implement to meet those requirements. Not all of these controls will be applicable to your organization and therefore don’t need to be implemented. Your Statement of Applicability is a document that explains which controls are and aren’t relevant to your organization and why.

Steps to create Statement of Applicability.
Steps to create Statement of Applicability.

Why is the Statement of Applicability important?

Your Statement of Applicability is a prerequisite for your ISO 27001 audit, as it gives your auditor a detailed account of the controls you’ve implemented, the controls you’ve omitted, and why you made this decision for each control. This document will serve as your auditor’s guide as they audit your ISMS and allows you to provide context about the choices you’ve made for your system.

Your Statement of Applicability doesn’t just benefit your auditor — it also benefits your organization. The process of creating your SoA acts as a forcing function for you to think about each ISO 27001 control and requirement, how to implement it or if it’s necessary. You and your team can use this document internally as a reference as you strengthen and modify your ISMS over time.

{{cta_withimage2="/cta-modules"}}

What should an ISO 27001 Statement of Applicability include?

Your Statement of Applicability should cover all 114 controls listed in ISO 27001 Annex A and provide an explanation of whether or not that control was implemented and how. You need to include a detailed spreadsheet-like table in your SoA that includes:

  • The full list of the Annex A controls along with the code for where they are located in the annex. (Example: A5, A12.1)
  • An explanation of why you chose to implement each control or why you chose to omit it.
  • A brief explanation of how you implemented each control you chose to include.
  • A reference to where each control you’ve implemented can be found in your ISMS.

How to create a Statement of Applicability

To create a SoA, follow these steps:

  1. Build base knowledge: Understand the clauses in ISO 27001 and the controls in Annex A since these will be the foundation for your SoA.
  2. Conduct a risk assessment: The aim of the Statement of Applicability is to determine and document which controls are necessary for your organization. These decisions should be driven by the information security risks your organization faces.
  3. Complete a risk treatment plan: After you’ve identified the risks, create a plan that uses Annex A controls to address those risks.
  4. Create the structure of your SoA: Create a table that will become the structure of your Statement of Applicability that includes columns for the Annex A control, inclusion or exclusion of the control, reason for including/excluding the control, how the control was implemented, where the auditor can reference the control in your ISMS.
  5. Identify appropriate controls: Review each control in Annex A and notate which ones you included and which ones you excluded. Look for any controls you may have missed during your implementation.
  6. Complete your SoA report: Fill in the table in your SoA, analyzing each Annex A control and providing all the necessary details in each row.

These steps will allow you to create a thorough Statement of Applicability to help you pass your ISO 27001 audit, receive your certification, and help you build a strong and secure ISMS.

Get ISO 27001 certified faster with Vanta

With Vanta’s trust management platform, you can streamline your ISO 27001 certification process. Here’s what an automated ISO 27001 can look like: 

  • Connect your infrastructure to the Vanta platform with our 300+ built-in integrations.
  • Assess your risk holistically from one unified view.
  • Identify areas of non-compliance with in-platform notifications.
  • Get a checklist of actions to help you make the needed changes. 
  • Automate evidence collection and centralize all your documents in one place.
  • Find a Vanta-vetted auditor within the platform. 
  • Complete your ISO 27001 certification in half the time. 

By using Vanta, you can save your business valuable time and money during your ISO 27001 audit process. Learn how you can get your ISO 27001 certification faster by requesting a demo.

{{cta_testimonial4="/cta-modules"}}

Your checklist to ISO 27001 certification

Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.

Your checklist to ISO 27001 certification

Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.

Your checklist to ISO 27001 certification

Need to get ISO certified but not sure where to start? This guide walks you through the steps to get ISO 27001 compliant.

You want to be compliant every day, not just once a year. Vanta helps you achieve this without slowing your business down.”

Giuseppe Ciotta, VP of Engineering | Belvo

Get started with ISO 27001

Start your ISO 27001 journey with these related resources.

ISO 27001

The ISO 27001 Compliance Checklist

ISO 27001 is the global gold standard for ensuring the security of information and its supporting assets. Obtaining ISO 27001 certification can help an organization prove its security practices to potential customers anywhere in the world.

The ISO 27001 Compliance Checklist
The ISO 27001 Compliance Checklist
ISO 27001

ISO 27001 Compliance for SaaS

On 10 October at 2 PM BST, join the Ask Me (Almost) Anything with Herman Errico and Kim Elias, compliance experts at Vanta. They’ll answer (almost) all your questions about ISO 27001 compliance.

ISO 27001 Compliance for SaaS
ISO 27001 Compliance for SaaS
ISO 27001

ISO 27001 vs. SOC 2: Which standard is right for my business?

Complying with security standards such as ISO 27001 or SOC 2 can help boost your business, but for technology startups, security compliance is often lower on the list of company priorities.

ISO 27001 vs. SOC 2: Which standard is right for my business?
ISO 27001 vs. SOC 2: Which standard is right for my business?

Get compliant and
build trust, fast.

Two wind turbines on a white background.
Get compliant and build trust,
fast.
Get started