ReadSafety.com

ISO 27001 Questions, Answered

What is the Statement of Applicability in ISO 27001?

Quick answer

The Statement of Applicability (SoA) is the mandatory ISO 27001 document listing all 93 Annex A controls, stating for each whether it applies, why it was included or excluded, and its implementation status. It connects your risk assessment to your actual controls, and it is the single most-examined document in any ISO 27001 audit.

What clause 6.1.3 actually demands

After assessing risks and choosing treatments, you must produce a Statement of Applicability that contains: the controls you determined necessary (from Annex A or anywhere else), justification for their inclusion, their implementation status, and justification for excluding any Annex A control. Necessary controls can come from other frameworks, contracts, or your own design; Annex A functions as the completeness checklist you compare against so nothing necessary is overlooked.

Key factExclusions must be defensible against your context, not convenient. "A.7 physical controls excluded, fully remote company with no premises" survives audit if it is true. "A.8.28 secure coding excluded" from a company that ships software does not, whatever the justification says.

Why auditors treat it as the master document

The SoA is where an auditor tests whether your ISMS is one connected system or three disconnected artifacts. The standard trace: risk register entry, to treatment decision, to SoA control marked applicable, to the control operating in the real world, to evidence. Breaks in that chain are findings. Common ones: controls marked "implemented" that are aspirational, justifications copy-pasted from a template that mention departments you do not have, and an SoA version that predates your latest risk assessment, proving the two documents do not talk to each other.

Building one that holds up

  • Structure: a table with control ID and name, applicable yes or no, justification tied to specific risks or requirements, implementation status, and where evidence lives. One line each, in your own words.
  • Version it meaningfully. The SoA changes when your risk assessment changes, when incidents teach you something, and when scope moves. A two-year-old SoA in a company that shipped ten product changes is self-incriminating.
  • Keep it honest about status. "Partially implemented, completion Q3" is a legitimate SoA entry before certification and shows a working system; "implemented" that fails sampling is a nonconformity plus a credibility wound that colors the rest of the audit.

One practical tip from the audit chair

Write justifications a stranger could verify: name the risk, the customer requirement, or the law that makes the control necessary. When every line of the SoA points at something real, Stage 1 becomes a table read instead of an interrogation, and Stage 2 auditors arrive already trusting your system's internal logic.

Ready to take the next step?

USQC - United Safety Quality Council is an ASC-accredited certification body providing third-party ISO 27001 certification audits, internal and supplier audit services, and auditor training. Since 2015, USQC has automated audit planning, reporting, and decision support, cutting audit man-days that other certification bodies bill for and placing USQC pricing in the lower quartile, with highly experienced lead auditors on every audit.

Talk to USQC