ISO 27001 is a globally recognized standard for organizations to build information security management systems. If your organization wants to achieve ISO 27001 compliance and be certified as such, you’ll need to create a “Statement of Applicability” – a summary of your ISO 27001 controls, and one of the most important documents you’ll need on your compliance journey.

This article explains what a statement of applicability is, why it’s vital, and how to write one.

What Is an Applicability Statement?

The Statement of Applicability (SoA0 is the main requirement for companies to achieve ISO certification. It’s one of the first things an auditor looks for when conducting an audit, and an essential document for ISO 27001 compliance.

The SoA must be available during the ISO 27001 audit phase, when the auditor tests your controls to assure that they are designed correctly and work to achieve the standard’s objectives. For example, a company will typically fail an ISO27001 audit if the auditor lacks confidence in the administration of the information security management system (ISMS) and the documentation is managed poorly or missing entirely.

The SoA identifies which ISO 27001 controls and policies a company uses. Those controls are typically selected from ISO 27001 Annex A. Annex A is a catalog of the information security controls and objectives companies need to consider during their ISO 27001 implementations.

A company striving for ISO 27001 certification doesn’t need to use all the controls listed in Annex A (114 of them, grouped into 14 categories). Rather, you only need to use the controls that make sense for your risks and business model – and then explain your logic to the auditor.

What Should a Statement of Applicability Include?

Your SoA should include:

  • The complete list of all 114 Annex A controls, regardless of which ones you actually implement;
  • Arguments in favor of including or excluding each one;
  • A brief explanation of each appropriate control’s implementation, accompanied by citations to the relevant policy and management.

The SoA is a window into the organization’s ISMS; problems will arise if the document doesn’t help people to understand why your ISMS operates the way it does. For example, imagine that the spreadsheet listing the 114 controls is significantly outdated with the actual management controls in place when the auditor shows up.

The auditor’s inability to have faith in the management of the ISMS and the lack of proper documentation is one of the most frequent causes of an ISO 27001 audit failing. Instead of integrated and automated documentation of an SoA, having a standalone SoA “document” increases that risk.

What Is the Difference Between a Statement of Applicability and Scope?

As previously mentioned, a company’s ISO 27001 policies and controls are identified in the SoA and contrasted with the ISO 27001 control sets in Annex A. Scope, meanwhile, refers to a document specifying what a project does and does not accomplish. It usually clarifies the project’s requirements and describes how it will meet its goals.

In the ISO 27001 world, the scope is a portion of an SoA; it details the actions that your team intends to take to accomplish project goals. In addition, the scope often describes the project’s responsibilities, roles, and milestones. Even though some practitioners may conflate the terms SoA and scope, there are important distinctions between the two because they have different objectives.

What Are the Standards of ISO 27001?

According to Section 6.1.3 of ISO 27001, an SoA must:

  • Identify which controls a company has chosen to deal with the risks it has identified.
  • Explain why the organization has selected these controls.
  • State whether the company has implemented the controls.
  • Explain why the organization has decided to omit specific controls .
  • Link to the relevant documentation about the implementation for each control the company has implemented; every rule should have its entry.

Categories of Controls

The 14 categories of ISO 27001 controls in Annex A are:

  • Information security policies
  • Organization of information security
  • Human resource security
  • Asset management
  • Access control
  • Cryptography
  • Physical and environmental security
  • Operations security
  • Communications security
  • System acquisition, development, and maintenance
  • Supplier relationships
  • Information security incident management
  • Information security aspects of business continuity management
  • Compliance

A company that has performed an ISO 27001 risk assessment procedure and created a risk assessment report may wonder why it should also have to write an SoA. For the following reason: A risk assessment report is usually longer than an SoA and includes many identified risks, as many as several thousand for large companies. As such, it’s not useful for day-to-day operations. An SoA, on the other hand, is short, easier to present to management, and easier to keep up to date.

During the risk treatment phase, an organization identifies the required controls because it opted to reduce the risks based on its risk appetite. A company determines the authorities in an SoA for other reasons, such as law, contractual requirements, and other processes.

What Are the Benefits of the ISO 27001 Statement of Applicability?

Enterprise-wide SoA planning takes a lot of collaboration, time, effort, and upper-management commitment. A brief control chart should be the outcome of the SoA. Top management or another appropriate authority must examine and approve the SoA.

Audits can often give companies a great deal of anxiety, and top management may pressure information security roles to eliminate nonconformity before an audit. An SoA can ease these fears. If the SoA is properly drafted, there shouldn’t be any significant compliance issues for information security requirements.

Information security management systems can be complex. The relevant controls for confidentiality, integrity, and availability must list all applicable legal and regulatory requirements, contractual responsibilities, and rules connected to the firm’s demands. To assure that no essential controls are overlooked while implementing an ISMS at your business, the SoA acts as a checklist.

The SoA has the advantages of being acceptable to the auditor who evaluates the company and providing a concise explanation of the controls. Information security auditors move through the ISMS process controls using the SoA as their primary reference guide.

The bottom line is simply this: The time an organization invests in creating the SoA, routinely keeping it current, incorporating the SoA in the Scope of their internal audit, and performing management reviews will always be helpful.

Streamline ISO 27001 Risk Assessments With Reciprocity ROAR

The Reciprocity® ROAR Platform is the authority in enhanced internal controls and organizational risk management. It is a platform that aids in the setup, administration, and monitoring of your risk management and internal control system.

Reciprocity ROAR can help you prioritize tasks so that everyone on staff knows what has to be done and by when. Additionally, its simple dashboards make it easier to review studies that need attention and ones that have already been completed.

Task assignment for risk assessment, analysis, and mitigation operations is made simple by its workflow tagging feature. In addition, its features enable integration with popular tools, such as Jira, ServiceNow, and Slack, ensuring seamless adoption across your enterprise.

For a free consultation and demo of ROAR, schedule a demo.