Statement of Applicability (SoA)

The Statement of Applicability (SoA) is a mandatory ISO 27001 document that shows precisely which of the standard’s Annex A controls your organisation has chosen to implement. It is one of the most central documents in your ISMS documentation and is always reviewed during certification.

Back to Dictionary

What is a Statement of Applicability?

The Statement of Applicability, or SoA, is required by ISO 27001 clause 6.1.3 d). The document serves as the link between your risk assessment and the specific controls from Annex A that your organisation chooses to implement.

For each of the 93 controls in Annex A (ISO 27001:2022), your SoA must state whether the control is included or excluded, and provide a justification. This gives a complete overview of your organisation’s information security control landscape.

What should the SoA contain?

A complete SoA typically contains the following for each Annex A control:

Control ID and name: Identification of the control in question.
Included/excluded: Indication of whether the control is applied.
Justification: Explanation based on risk assessment, legal requirements or business needs.
Implementation status: Whether the control is fully implemented, partially implemented or planned.
Documentation reference: Link to the procedure or policy supporting the control.

Excluding controls

It is legitimate to exclude Annex A controls, but this requires a documented justification. Typical justifications for exclusion may be that the control is not relevant to the organisation’s risk environment, that a risk has been accepted, or that an alternative control achieves the same outcome.

Be specific in your justifications: Vague statements such as ‘not relevant’ are not sufficient. Describe precisely why this particular control is not necessary in your organisation’s context.

The SoA in certification audits

The external auditor will always review the Statement of Applicability thoroughly. They will verify that there is consistency between the risk assessment results and the selected controls, and that exclusions are well-substantiated. An inconsistent SoA is a frequent cause of non-conformities during certification audits. Your access control and asset management controls are among those most closely scrutinised.

Frequently Asked Questions about the Statement of Applicability

What is a Statement of Applicability?

A Statement of Applicability (SoA) is a mandatory document in ISO 27001. It specifies which of the standard’s Annex A controls your organisation has implemented, and provides a justification for any exclusions.

Can Annex A controls be excluded?

Yes. Not all Annex A controls are relevant to every organisation. You may exclude controls, but you must document the justification in the Statement of Applicability. Exclusions should typically be based on your risk assessment.

Who reviews the Statement of Applicability?

The external auditor (certification body) always reviews the SoA as a central part of the certification process. It is one of the most important documents in the entire ISMS documentation.

How often should the SoA be updated?

The SoA should be reviewed and updated whenever there are significant changes to the organisation’s risk environment, following management reviews, or when Annex A controls are added or removed. At minimum, it should be reviewed annually.

What is the difference between the SoA and the risk treatment plan?

The SoA lists all Annex A controls and states whether each is included or excluded. The risk treatment plan describes the specific actions, timelines and responsibilities for implementing the selected controls. They are complementary documents.