A Statement of Applicability (SOA) is a document you draft as part of achieving compliance with ISO 27001 and other ISO standards. The SOA reviews the internal controls you have decided to include in your information security management system (ISMS) and why you selected those controls. 

Writing a thoughtful, comprehensive SOA is crucial to your ISO 27001 compliance journey. The SOA helps you to map your implemented controls against “Annex A,” the list of all possible controls you might use for ISO 27001 compliance, and it also helps to streamline the audits you must undergo to certify your ISO 27001 compliance. 

This blog provides an overview of how to draft an SOA that satisfies compliance with ISO 27001 and helps you to manage your information security risks. 

What Is the Statement of Applicability (SOA)?

An SOA is mandatory for organizations seeking to certify their compliance with ISO 27001. It explains which information security controls from Annex A of ISO 27001 are within scope of your ISMS. 

According to the ISO 27001 standard, the SOA should:

  • List all the Annex A controls;
  • Identify which controls are relevant and applicable, based on a risk assessment;
  • Explain why specific controls were excluded or not applicable;
  • State whether the chosen controls are fully implemented.

The SOA is a confidential document demonstrating how your implemented controls align with ISO 27001 requirements. It must be shared only with your auditor during the certification process.

What Compliance Frameworks Require a Statement of Applicability?

The SOA is mandatory for ISO 27001. It is not mandatory for other regulatory frameworks, although writing an SOA does help you comply with those other frameworks. 

For example, numerous information security and privacy frameworks are quite similar to ISO 27001:

  • Service Organization Control 2 (SOC 2)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • General Data Protection Regulation (GDPR)

Those frameworks don’t formally require an SOA — but by drafting one for ISO 27001, you can bring your information security program into much sharper clarity. You’ll have a list of which controls you use, which ones you don’t, and why. Knowing that rationale will make compliance with the other frameworks much easier.

What Are The Requirements for the SOA?

To create a solid SOA, follow these basic steps:

  • List all 114 controls from Annex A of ISO 27001 in a table format.
  • Identify which controls apply to your ISMS scope.
  • Justify why specific controls are excluded as not applicable.
  • Confirm management approval of the final SOA document.

This demonstrates to auditors that you have:

  • Performed a comprehensive risk assessment;
  • Selected relevant controls to mitigate identified risks;
  • Implemented necessary security measures for your environment;
  • Aligned with ISO 27001 requirements for certification.

A well-documented SOA is crucial evidence that your ISMS meets the information security objectives and controls outlined in ISO 27001.

Determining the Controls to Include in Your Statement of Applicability

Choosing applicable controls starts with a comprehensive cybersecurity risk assessment. Use methods such as:

  • Risk assessment surveys of stakeholders;
  • Threat modeling exercises;
  • Reviewing internal audit reports and incident logs.

Analyzing the risk assessment report will identify key risks and the relevant ISO 27001 controls to treat those risks adequately. Any new controls outside Annex A can also be added based on risk treatment plans. You can also use an SOA template to get started, and above all to assure that you consider all necessary controls. 

In addition to risks, factors such as contractual requirements, industry regulations, access control objectives, and physical security needs help determine other applicable controls.

How to Prepare a Statement of Applicability

Follow these steps for drafting the ISO 27001 SOA:

  1. Document the risk assessment methodology.
  2. List all Annex A controls in a table.
  3. Mark controls relevant to managing identified risks.
  4. Justify the exclusion of controls based on risk assessment results.
  5. Review legal, regulatory, and contractual requirements for any other needed controls.
  6. Finalize list of applicable controls after approval from management and auditors.
  7. Prepare treatment plans to implement controls.
  8. Review and update the SOA during internal audits and when new controls are added.

Meet Your Compliance Goals with ZenGRC

Streamline your ISO 27001 SOA and certification process using ZenGRC’s compliance automation platform. You can accelerate your ISMS implementation while assuring continuous control improvement with guided workflows and pre-built content kits for ISO 27001 and other frameworks.

Ready to simplify ISO 27001 compliance? Schedule a demo now to see ZenGRC in action.