ISO 27001 Statement of Applicability: The Complete Overview

In a world where data is the new currency, safeguarding it is non-negotiable. Enter the ISO 27001 Statement of Applicability (SoA) – a pivotal document that showcases an organisation’s unwavering commitment to securing sensitive information.

In the UK alone, 21% of all organisations and a staggering 57% of large enterprises are well-versed in the ISO 27001 standard, according to the Statista survey. A key stepping stone in this journey is the Statement of Applicability.

Dive into this blog, where we break down everything you need to know about the ISO 27001 SoA – from crafting it to ensuring it covers all the critical aspects of your organisation's security framework. 

Table of Contents  

1) What is an ISO 27001 Statement of Applicability?  

2) Why is an ISO 27001 Statement of Applicability Important?  

3) ISO 27001 Control List and Its Applications 

4) What to include in your Statement of Applicability?  

5) Steps on how to write a Statement of Applicability (SoA) 

6) Time-Saving Tips for Writing an SoA

7) Conclusion  

What is the ISO 27001 Statement of Applicability?  

The ISO 27001 Statement of Applicability is a crucial document for obtaining ISO 27001 Certification. This document outlines the specific ISO 27001 Annex A controls that your organisation deems essential for addressing information security risks. Additionally, it enumerates the ISO 27001 controls from Annex A that have been excluded, providing a comprehensive overview of your information security risk mitigation strategy.

Annex A of ISO 27001 is a catalogue of the Information Security controls that must be considered during the implementation of ISO 27001. The Statement of Applicability will indicate whether the Annex A controls are applicable and implemented, applicable but not implemented, or not applicable at all. 

The Statement of Applicability is typically an internal document shared only with your organisation and the certification body. Doing it right is critical to speeding up the certification process. 

According to Clause 6.1.3 of the ISO 27001 compliance framework, a Statement of Applicability should list the information security controls an organisation has selected to mitigate risks, explain why these controls were chosen for the Information Security Management System (ISMS), state whether these applicable controls have been fully implemented, and clarify the reasons for excluding any security controls. 

Why is the ISO 27001 Statement of Applicability important?  

The Statement of Applicability is pivotal for an organisation to gain ISO 27001 Certification. Together with the Scope of the ISMS, the Statement of Applicability provides a descriptive summary of all the controls applied and implemented by the organisation. The documentation must be available for review during the Stage 1 certification audit. 

However, it will only be closely examined during the Stage 2 audit when the Auditor tests some of the security controls and ensures that not only do they describe but accurately demonstrate the control objectives being achieved.  

The Auditor will review the organisation's information asset inventory, consider the risks and their evaluation and treatments, and look for any physical evidence that the organisation has adequately implemented the controls it has claimed to address those risks. The Statement of Applicability and the Scope will cover the organisation's products and services, its information assets, processing facilities, the systems in use, the people involved and the business processes – whether it is a one-person business or a multi-site international organisation. 

Customers with significant information security concerns may wish to see your organisation’s Scope and SoA before making a purchase. This ensures that the benefits of ISO 27001 certification are applied to the relevant sectors of your company handling assets.

Even when putting ISO 27001 Certification requirements aside, the Statement of Applicability is an Invaluable document. Here are a few other reasons why it’s important: 

1) It helps put your data security strategy into practice: ISO 27001 requires that your Statement of Applicability provides a detailed description of how you meet those requirements. Your SoA also helps you focus your efforts on achieving a compliant ISMS by posing as the link between your risk assessment and risk treatment plan – thus helping you put your data security strategy into practice.     

2) It Guides Your Internal and Certification Audits: During your ISO 27001 Audit for certification,your Statement of Applicability is the central document for your Auditor to gauge whether your controls work as intended. It will also be a focal point for your regular internal security audits and help you fulfil your requirements to review and improve your ISMS continually.  

3) It Provides a Working Document for Tracking and Improving Your ISMS: The SoA is an integral part of your certification audit, but not just for your Auditor's benefit. The Statement's core value is as a tool for your organisation to help you monitor and improve your ISMS. It is a working list of every control, why each control is needed, and a description of how it works – ISO 27001 Compliance can help you and others in your business understand how and why you manage information security risks. 

Take control of your organisation's Information security with our ISO 27001 Internal Auditor Course - register now!  

ISO 27001 Control List and Its Applications

Within ISO 27001, there is a set of controls, specifically in Annex A, that organisations can use to address various Information security risks. These controls are divided into 14 sections, each addressing a different aspect of information security. Here is a list of controls in ISO 27001 along, with their general uses: 

1) Information Security Policies (A.5): Defines and communicates information security policies and objectives. 

2) Organisation of Information security (A.6): Establishes roles and responsibilities to maintain information security within the organisation. 

3) Human Resource Security (A.7): Ensures employees and contractors are aware of and compliant with security policies. 

4) Asset Management (A.8): Identifies, classifies, and manages information assets effectively. 

5) Access Control (A.9): Controls access to information systems and data, ensuring authorised access and preventing unauthorised access. 

6) Cryptography (A.10): Protects sensitive information through encryption and cryptographic controls. 

7) Physical and Environmental Security (A.11): Secures physical facilities and equipment to prevent unauthorised access, damage, or interference. 

8) Operations Security (A.12): Ensures the secure operation of information systems and data. 

9) Communications Security (A.13): Protects the confidentiality and integrity of data during transmission. 

10) System Acquisition, Development, and Maintenance (A.14): Integrates security into the Software Development Lifecycle and procurement processes. 

11) Supplier Relationships (A.15): Ensures that suppliers and third-party partners meet Information security requirements. 

12) Information Security Incident Management (A.16): Establishes an incident response plan to properly address security breaches and incidents. 

13) Information Security Continuity (A.17): Develops and maintains business continuity and disaster recovery plans. 

14) Compliance (A.18): Ensures compliance with legal, regulatory, and contractual requirements concerned with Information security. 

Handling Non-applicable SoA Controls

When the controls listed in the SoA within an ISMS based on ISO 27001 do not apply to a particular organisation or situation, there are several steps you can take: 

1) Document the Reason: Clearly document why specific controls do not apply to your organisation. This documentation is crucial for audit and compliance purposes. You should provide a valid justification for each control that is deemed not applicable. 

2) Conduct Risk Assessment: Conduct a thorough risk assessment to determine whether the control is truly not applicable or if there are alternative measures that need to be implemented. It's possible that what seems irrelevant at first glance might actually be relevant in a different context or with a different risk assessment. 

3) Seek Expert advice: Consult with Information security experts or consultants who are experienced with ISO 27001. They can provide insights into whether controls are truly inapplicable or if there are alternative controls that should be implemented. 

4) Consider Alternative Controls: If a control is not applicable in its current form, consider implementing alternative controls or security measures that address the same risk or objective. The goal is to ensure that the Information Security risks are adequately managed, even if the specific ISO 27001 controls don't fit your situation. 

5) Document Compensatory Measures: If you decide to implement alternative controls, document these compensatory measures in your SoA. This demonstrates that you’re actively managing risks, even if you’re not adhering to the standard controls. 

6) Review Periodically: Information security risks change over time, so periodically review the SoA to see if previously inapplicable controls have become relevant due to changes in the organisation, its environment, or its threat landscape. 

7) Consult with the certification body: If you are pursuing ISO 27001 Certification, consult with your certification body or Auditor to ensure they agree with your assessment of controls as not applicable. Their feedback can be valuable in ensuring compliance. 

8) Seek management approval: Ensure that senior management is aware of and approves the decision to declare controls as not applicable. This should be documented and communicated within the organisation. 

Want to elevate your organisation's Cybersecurity practices? Make sure to register for our industry-leading ISO 27001 Certification! 

Key Inclusions for Your Statement of Applicability

According to the ISO 27001 standards, the following are the requirements from Clause 6.1.3 that are to be fulfilled by an ideal Statement of Applicability document:   

a) The definition of the security controls (security measures) that will be applied covers the suggested controls from ISO 27001 Annex A and potentially the controls from other sources 

b) Justification for the inclusion of applicable ISO 27001 controls within your organisation’s information security Management System.

c) The implementation status of the applicable security controls is a documented status of whether the mentioned security controls have been implemented or not 

d) The justification for the exclusion of the security controls from Annex A that is not applicable to the ISMS of your organisation 

Want to gain the expertise to lead and conduct a successful ISO 27001 audit? Sign up for our ISO 27001 Lead Auditor Course today!  

Steps to Write a Statement of Applicability (SoA) 

Now that we have discussed what a Statement of Applicability is, why it is essential and what it should include, we will now discuss the steps to write one.
 

1) Understand the requirements  

The first step to writing an effective ISO 27001 Statement of Applicability is understanding the requirements that can be overwhelming if one is new to ISO 27001 Checklist or Information security standards in general. Nevertheless, a comprehensive understanding of these requirements will help ensure that your Statement of Applicability is accurate and complete.  

2) Conduct a risk assessment  

You must conduct a risk assessment before you begin writing an ISO 27001 Statement of Applicability. This step aims to evaluate and assess the Information Security risks that could pose a threat or loss to your organisation. If you have already completed a risk assessment, you can use that information as a starting point.

3) Determine your Risk Management strategy  

This step is where you should define your Risk Management strategy, identify your security risks, and define what you need to implement to manage those risks effectively. For instance, an organisation may implement an encryption solution to secure sensitive data. Once you define all the parts of your Risk Management strategy’s parts, you will have a clearer picture of the controls that will be best suited to address every component within your organisation's Information Technology system. 

4) Select the relevant security controls  

Every organisation is different, meaning that it has its unique set of risks to which it is most vulnerable. This, in turn, means that every organisation will have a unique set of controls that it will have to adopt to strengthen its ISO 27001 physical security against potential risks.

For instance, if you run a large manufacturing business with multiple warehouses where inventory is always being shipped out or returned to storage, the physical access controls could be a part of your ISO 27001 Statement of Applicability. However, other companies may find that they do not face many physical security risks and that another set of controls is at the top of their priority list.  

5) Complete the Statement of Applicability  

At this point of the process, you have everything you need to put your Statement of Applicability together. If you have chosen to exclude an Annex A control from your Statement of Applicability, providing an appropriate justification for your decision is essential. You should also include the risks considered and determined not to be a high-priority risk for your organisation. If possible, explain why a particular risk was deemed unfit for inclusion in your Statement of Applicability.  

You must also document the reason for including the Annex A controls mentioned in your statement. Typically, the reason for including the Annex A controls is because the controls were determined to be necessary for mitigating a specific Information security risk for a company.  

6) Plan annual updates  

Once you have completed writing your Statement of Applicability and risk assessment, you must closely monitor it. You should review the document regularly to ensure you meet the ISO 27001 Requirements mentioned in the standard. Additionally, you must ensure that you stay updated with any technological changes that may impact your program and risk treatment plan. 

Time-saving Tips for Writing an SoA

Saving time while writing an ISO 27001 SoA is essential for streamlining the implementation of your ISMS. Here are some tips on how to do it efficiently: 

Saving time when writing an key features of ISO 27001 SoA is essential for streamlining the implementation of your ISMS. Here are some tips on how to do it efficiently: 

1) Understand the standard: First and foremost, ensure you have a deep understanding of the ISO 27001 Standard and those requirements. Familiarity with the controls in Annex A is crucial as they form the basis of your SoA. 

2) Define the Scope: Make sure to define the Scope of your ISMS clearly. Determine which parts of your organisation and which assets will be covered by ISO 27001. A well-defined Scope will help you focus your efforts. 

3) Be prepared: Before you start drafting the SoA, gather all relevant information, such as the results of risk assessments, policies, procedures, and documentation of security controls that are in place. 

4) Prioritise controls: Not all Annex A controls will be applicable to your organisation. Identify and prioritise controls based on your risk assessment. Focus on those that are most relevant and critical to your organisation's Information security. 

5) Use templates: Many templates and pre-designed SoA documents are available online. While these can be a useful starting point, ensure you customise them to your organisation's unique needs and circumstances. 

6) Collaborate: Involve key stakeholders from different departments in the SoA process. They can offer valuable input and help identify the controls that are most relevant to their areas of responsibility. 

7) Map controls: Clearly map each control to the relevant assets, processes, or systems they apply to. This ensures transparency and accountability. 

8) Justify exclusions: If you decide to exclude certain controls, provide clear and well-documented justifications for each exclusion. Be prepared to demonstrate that the exclusion doesn't introduce unacceptable risks. 

9) Keep it concise: While it's essential to provide detailed information, avoid unnecessary verbosity. Focus on conveying the necessary information efficiently. 

10) Use standard language: Stick to standard language and terminology used in ISO 27001. This ensures clarity and consistency throughout the document. 

11) Review and validate: Have your SoA reviewed by experts in Information security, such as Internal or External Auditors, to ensure it meets the standard's requirements. 

12) Document updates: Recognise that the SoA is not a static document. As your organisation evolves, so should your SoA. Implement a regular process for reviewing and updating it. 

13) Invest in training: Invest in training for staff members who will be involved in the SoA process. Well-trained personnel can complete the document more efficiently. 

14) Use software tools: Consider using specialised software tools that can help automate the creation and maintenance of your SoA. These tools can save time and cut down on errors. 

15) Plan ahead: Do not wait until the last minute to start drafting your SoA. Plan your timeline well in advance of your ISO 27001 implementation or audit. 

Conclusion  

A well-presented and easy-to-understand about What is ISO 27001 Statement of Applicability shows the relationship between the relevant and implemented Annex A controls given the risks and information assets in the Scope. It assures an Auditor or any other interested party that an organisation is taking its Information security Management seriously, especially if it is all joined into a holistic information security Management System. 

Take the first step towards securing your organisation's information with our comprehensive ISO 27001 Foundation Course.