What's Inside

Cyber incidents are the leading risk to businesses globally for 2024, according to a recent survey among risk management experts. This includes things such as cybercrime, IT failure or outages, data breaches, and fines and penalties. 

All of this isn’t great news for your data or for your business. 

For these and many reasons, companies are choosing to pursue ISO 27001 certification. ISO 27001 can help you mitigate risks, establish a strong security posture, and build trust with customers who have growing concerns about their information.

A major component in pursuing ISO 27001 certification is your Statement of Applicability (SoA). If you’re not sure where to begin, consider this post your quick start guide to make the process as stress-free as possible.

What’s an ISO 27001 Statement of Applicability?

A Statement of Applicability is a document required for ISO 27001 certification. It states the ISO 27001 Annex A controls that your organization determined to be necessary for mitigating information security risk and the controls that were excluded. 

With the 2022 update to ISO 27001, Annex A was restructured, consolidating information security controls from 114 to 93 and reorganizing them into four categories: Organizational, People, Physical, and Technological. No controls were removed, but some have been merged and revised, and new ones introduced to address emerging security challenges.

The updated structure simplifies categorization but also requires organizations to review and update their SoA to reflect the new control set.

Why Is the Statement of Applicability Important?

The SoA is a blueprint for your organization’s approach to information security, tying risks to the controls you’ve selected or excluded.

Done right, a Statement of Applicability simplifies audits, demonstrates your commitment to managing risks, and builds trust with stakeholders who care about data security. 

It Builds Confidence in Your Security Framework

Your stakeholders want to know how you protect their information. A well-maintained SoA shows customers, partners, and employees exactly which security measures you've chosen and why, so they gain confidence in your commitment to protecting their data.

It Simplifies the Audit Process

The SoA gives auditors a clear map of your security program. Instead of piecing together information from different documents, they can see all your controls and their purposes in one place. This makes both internal audits and certification audits more efficient, cutting down the time and effort necessary to verify your security practices and maintain (or get) your certification.

It’s a Tool For Continuous Improvement

The SoA also becomes a tool for maintaining your Information Security Management System (ISMS) as your organization evolves. When your business changes how it operates or faces new threats, this living document helps you track which controls need updates or replacements. 

Through regular reviews, you can spot gaps in your ISMS, phase out controls that no longer make sense, and keep your security program aligned with what your organization actually needs.

Which Controls Should You Include in Your Statement of Applicability?

The controls you include should directly address the risks identified in your organization’s risk assessment and meet your compliance needs. While the applicable controls will vary depending on your organization’s unique context, the process for selecting and documenting them remains consistent.

ISO 27001:2022 provides more flexibility in choosing controls that best fit your organization’s current context and business priorities. It encourages a more tailored approach to selecting controls that are proportional to the risks and potential impacts faced by the organization. Since there is more flexibility, the 2022 version requires a clearer justification of how controls address not only the identified risks but also the organization's business objectives and strategic context.

For example, controls under the Physical and Environmental Security domain (Annex A11) might apply to organizations with physical offices that need to secure server rooms or prevent unauthorized access to facilities. Meanwhile, controls under the Access Control domain (Annex A9) are more relevant for managing user permissions and safeguarding sensitive digital assets, especially in businesses with remote or hybrid workforces.

"We haven't implemented it yet" or "it's too expensive" aren't valid reasons for exclusion. Each justification should clearly explain the rationale behind the selection or exclusion of a control, referencing specific risks, business context, and regulatory requirements. The explanation should be concise, easy to understand, and directly traceable back to the risk assessment and treatment decisions, allowing auditors to easily follow the reasoning behind each decision.

How to Create Your Statement of Applicability In 6 Steps

Here’s a breakdown of the steps you’ll need to take to put together an SoA for your organization.

1. Understand the Requirements 

The first step to writing an ISO 27001 Statement of Applicability is understanding the requirements which can be overwhelming if you’re new to information security or ISO 27001. 

Nevertheless, understanding these ISO 27001 requirements will help ensure that your SoA is accurate and complete.

2. Conduct a Risk Assessment 

To begin the process of writing an ISO 27001 Statement of Applicability, you will need to conduct a risk assessment. The purpose of this step is to evaluate the information security risks that could pose harm or loss to your organization.

If you have already completed the assessment, use the identified risks as a starting point. 

If not, start by: 

Determining the Appropriate Methodology 

Your risk assessment should be tailored to your organization’s environment and circumstances. In other words, you should choose a risk assessment methodology that gathers the information you need about the particular vulnerabilities and risks affecting your company. 

Most risk assessments can follow a qualitative approach which uses judgment to categorize risks on a low to high scale of probability, or quantitative, which uses mathematical formulas to calculate expected monetary losses of certain risks. These methodologies can also be combined with other methods like asset-based or threat-based. 

Both ISO 27005 and NIST SP 800-30 standards can provide guidance for determining the most appropriate risk methodology. 

Looking for Guidance 

If you don’t have a cybersecurity expert on your team, you could hire a consultant to help identify threats that could affect your organization’s ability or success in achieving its goals. They may suggest strategies or tools they’ve used when working with companies in your industry which can help form your own plan. 

Again, this can be particularly useful if you’re a new organization or don’t have much experience with risk assessments. Getting input from others can help create a more complete risk profile.

3. Determine Your Risk Management Strategy 

This is the point where you define your risk management strategy, identify security risks, and what you need to implement to manage those risks effectively. For example, an organization may decide to implement an encryption solution for securing sensitive data. 

Once you define all parts of your risk management strategy, you will have a clearer picture of what type(s) of controls will be best suited for addressing each component within your organization’s IT system. 

4. Select the Necessary Controls 

As we mentioned above, every company is different, and that means the controls you implement may be unique to your organization or industry. 

If you run a large manufacturing business with multiple warehouses where inventory is always being shipped out or returned to storage, then physical access control could be part of your ISO 27001 certification process. 

However, other companies may find that they don’t face many physical security risks and that another set of controls are at the top of their priority list. 

5. Complete the SoA 

At this point, you have everything you need to put your Statement of Applicability together. To recap, here’s what you’ll need to include in your SoA document:

• The Annex A controls list

• The implementation status of each control

• Why each control was included or excluded

• How each control is implemented within your organization

6. Plan Annual Updates 

Once you’ve completed your Statement of Applicability and risk assessment, you’ll need to keep a close eye on it. You should regularly review the document to ensure that you’re still meeting the requirements described in the standard. 

Additionally, be sure to stay up to date with any technology changes that may impact your program and risk treatment plan. 

Want to automate ISO 27001? 

Drata streamlines the ISO 27001 certification process so you can focus on growing your business securely. 

Statement of Applicability Frequently Asked Questions (FAQs)

The Statement of Applicability (SoA) often raises practical questions, particularly for organizations navigating ISO 27001 for the first time. Below we answer some of the most common questions to help you demystify the process.

What Is an ISO 27001 Statement of Applicability?

The ISO 27001 SoA is a core document required for ISO 27001 certification. It outlines which Annex A controls your organization has chosen to implement, which controls have been excluded, and the justification for each decision.

The SoA serves as a bridge between your risk assessment and the controls in place. It’s typically reviewed by auditors and, later, a certification body to ensure your ISMS is aligned with ISO 27001 requirements and reflects a thorough risk management process. 

What Is ISO 27001:2022?

ISO 27001:2022 is the latest version of the international standard for information security management systems. The update introduces a simplified structure for Annex A, consolidating controls into four categories: Organizational, People, Physical, and Technological.

The revised standard emphasizes a risk-based approach to security, requiring organizations to tailor their ISMS to their specific needs. 

How Often Should the SoA Be Updated?

It’s important

to review and update the SoA yearly. Additional triggers for review would include: 

• Significant changes in business operations, technology, or personnel.

• New or evolving risks.

• Regulatory changes or new compliance requirements.

• Following the results of internal or external audits.

• After a security incident or breach.

• After conducting a risk assessment or treatment process.

Many organizations align their SoA updates with annual risk assessments or other periodic compliance activities. Regular updates ensure that your SoA reflects your current risk landscape and continues to meet ISO 27001 requirements.

How Detailed Should Control Justifications Be?

Justifications don’t need to be overly detailed, but they must be clear and focused. For included controls, state the specific risks they address and how they contribute to mitigating those risks. For exclusions, explain why the contro

l isn’t applicable or how other measures achieve the same objective.

For instance, when including encryption as a control, specify that it mitigates the risk of data breaches. When excluding physical security measures, note that the organization operates entirely in the cloud, which eliminates physical access risks.

What If an Auditor Questions a Control Decision?

If an auditor disagrees with your inclusion or exclusion of a control, they will likely ask for additional context rather than outrig

ht rejecting your SoA. A clear and logical explanation of your risk-based decision-making process usually resolves such issues.

To minimize the likelihood of this scenario, clearly explain how the decision was based on the organization’s risk assessment and business context. You should justify why a control was included or excluded by linking it to specific risks, compliance requirements, and operational needs.