The Complete Guide to ISO 27001 Statement of Applicability (SoA)

Learn how to develop an effective Statement of Applicability (SoA) for ISO 27001 compliance with this comprehensive guide. Discover key steps, best practices, and expert insights to ensure your organisation meets the requirements of ISO 27001.

Understanding the Importance of a Statement of Applicability

The Role of the Statement of Applicability in ISO 27001 Compliance 

The SoA is a required document for ISO 27001 compliance. In the SoA, your organisation will catalogue its chosen security protocols from 114 Annex A controls, and justify these choices with risk assessments and audits.

Why a Well-crafted SoA is Crucial for Information Security Management 

A well-crafted SoA is crucial for information security management because it:

  • Helps to demonstrate compliance
  • Identifies and analyses risks and needs
  • Delineates controls and their roles
  • Ensures your security needs are met
  • Serves as a roadmap for future implementation

Key Components of an ISO 27001 Statement of Applicability

Identifying and Documenting the Scope of the SoA 

Figuring out the scope of your SoA means setting limits for your Information Security Management System (ISMS). You’ll need to find out what threats you’re up against, what resources you have available, and how your chosen security controls are going to support your overall strategy.

Remember, your SoA will evolve as your organisation’s security needs change.

Inclusion of Organisational Security Objectives and Controls 

Adding security goals and controls to your SoA means matching specific security targets with the best safety measures to achieve them. You’ll need to align these goals with stakeholder and consumer expectations. 

For example, 63% of consumers consider an organization’s data collection and storage practices to be the most important factor when deciding whether to share sensitive information. An emphasis on data privacy in your SoA matches consumer expectations and strengthens your organisation’s overall security framework.

Step-by-Step Guide to Developing a Statement of Applicability

3.1 Conducting a Comprehensive Information Security Risk Assessment  

Since a SoA is all about finding the right controls to combat risks, you’ll need to find out what those risks are. Here’s how to do just that:

  1. Identify and catalogue all valuable assets. This means data, hardware systems, software systems, and processes.
  2. Find out what weaknesses are present in these systems where threats could originate.
  3. Evaluate how likely it is that these threats will take place, including the impact they could have.
  4. Prioritise threats based on a blend of their likelihood and the damage they may cause.
  5. Select appropriate controls from Annex A to mitigate and manage risks should they become a reality.

          Check out our handy guide to ISMS risk assessments here for more tips.

          3.2 Identifying Applicable Legal, Regulatory, and Contractual Requirements

          Did you know that 94% of data, privacy, and security professionals say compliance with data privacy regulations is a top priority for their organization? The SoA ensures that implemented security measures address the requirements outlined in data privacy regulations.

          So, it’s time to put your reading glasses on.

          When choosing your controls, you’ll need to take into account all laws and regulations relevant to information security standards in your industry, identify those that apply to your organisation, and add in any contractual commitments made to your suppliers/customers.

          3.3 Mapping Controls to Address Identified Risks and Requirements  

          Now it’s time to ensure that your chosen controls can effectively handle risks, meet your security targets and comply with commitments. This involves:

          Correlation – Align each identified risk with a corresponding control from Annex A

          Justification – Demonstrate how the chosen controls mitigate/manage the risk

          Completeness – Ensure each risk and requirement has a corresponding control

          3.4 Documenting the Control Objectives and Their Implementation Status  

          This stage of the SoA is where its evolutionary nature becomes clear. You’ll be updating it every time you take a step toward meeting your control objectives.

          Clearly articulate what you’re aiming to achieve with your chosen controls. Then, document what stage of implementation the controls are at. This may be planned, in progress, or already implemented. Explain current statuses, including reasons for delays and analysis of successful implementations.

          3.5 Establishing a Clear Rationale for the Inclusion or Exclusion of Controls 

          Just because a control is featured in Annex A, doesn’t mean it’s going to fit with your security objectives. However, if you’re excluding a certain control, you’re going to need to explain why and maintain this reasoning for similar risks and controls.

          In your SoA, each control will be listed. Annotate, analyse and justify why certain controls were selected and others weren’t. A comprehensive rationale will make this process much simpler, and further outline your specific security needs.

          3.6 Reviewing and Validating the SoA with Relevant Stakeholders 

          Finally, you’ll need to get stakeholder approval for the content of your SoA. This includes:

          Engaging Key Individuals

          During the review process, involve stakeholders from relevant departments or areas of expertise.

          Collecting Feedback

          Gather stakeholders’ insights and suggestions on the SoA’s accuracy and relevance regarding their area’s requirements.

          Refine the Document

          Make necessary changes and additions to align the SoA with stakeholder goals and expectations, all while adhering to regulations.

          Best Practices for Creating an Effective Statement of Applicability

          Involving Key Stakeholders Throughout the SoA Development Process 

          Stakeholder engagement with the SoA ensures the document is comprehensive. However, you’ll have a lot fewer changes to make if you involve key personnel from the off.

          Identify important players who have a vested interest in the SoA, and get their approval on sections that concern them. Work together to ensure improvements are thorough and far-reaching.

          Regularly Reviewing and Updating the SoA to Reflect Changes in the Organisation’s Environment 

          Your organisation’s security needs are constantly changing. As your business grows, so do your assets. Your data systems and processes evolve, staff join and leave, and cybersecurity threats become more advanced.

          Your risk assessments and chosen controls will need to reflect these changes to maintain compliance. Don’t be shy; check your SoA at least annually.

          Check out our article on compliance management for more tips on how to set and meet ongoing compliance targets.

          Overcoming Challenges in Developing the Statement of Applicability

          Addressing Complexities in Mapping Controls to Specific Risks and Requirements 

          Sometimes it can seem as if:

          • A risk doesn’t match up to any Annex A controls.
          • A risk needs multiple controls to mitigate and manage it.

          If A is an issue, collaborate with relevant personnel, perform a thorough analysis and seek expert help to select one or a few of the best controls.

          If B is the case, you can break risks down into the sequence of events that might transpire. Then, assign a specific control to each of these.

          Remember, it’s recommended that you continually refine the SoA. As long as you can effectively justify why a control was selected using a review or audit, that risk is considered managed.

          Ensuring Alignment Between the SoA and Other Information Security Management System (ISMS) Documents 

          There are quite a few mandatory documents you’ll need to create to achieve ISO 27001 compliance. With so many documents being written up simultaneously, it can be a challenge to make sure the information included in your Statement of Applicability matches up.

          To simplify this process, you can:

          • Develop document control processes
          • Use a consistent framework and terminology set
          • Regularly cross-reference
          • Facilitate communication between those responsible for different documents
          • Integrate documentation for easy referencing and linkage

          Tools and Resources to Simplify the SoA Development Process

          Utilising Automated Compliance Platforms and Software 

          Automated compliance platforms, such as Compleye, provide a whole host of benefits if you’re working your way through ISO 27001 documentation.

          We’ll help you map controls to specific risks with a structured approach. On top of that, our automated workflows and user-friendly document storage make the approval process a breeze. Your colleagues can collaborate on one, easy-to-use central platform. 

          Leveraging Templates and Frameworks for Efficient SoA Creation

          Compleye also offers templates and frameworks for superlative SoAs. Lucky you. These save you valuable time and ensure your SoA is comprehensive. Don’t forget, our consultation service can provide you with guidance every step of the way.

          Ensuring Ongoing Compliance and Continuous Improvement

          Incorporating the SoA into the Organisation’s ISMS Maintenance Activities 

          Did you know that only 34% of organizations said data privacy had become one of the core responsibilities of their cybersecurity team?

          It’s stats like these that demonstrate the importance of the SoA beyond being a requirement for ISO 27001 compliance. This document is going to be your best friend as you and your team identify and manage evolving risks for years to come.

          When it comes to emerging threats and changing business landscapes, the SoA will guide your team’s assessment and adjustment of security controls. Use your SoA as a reference point to continually align controls with goals and requirements.

          Conducting Regular Audits and Reviews to Validate the Effectiveness of Controls 

          Writing your chosen controls down is one thing, but figuring out if they’ll work is another. Conducting regular audits and reviews will help you select adequate options, and ensure that your chosen controls do their job. As your organisation’s needs change, you should conduct further audits and reviews.

          Struggling to work out where to start with internal audits? No problem – here’s our checklist and free template.


          Key Takeaways and Final Thoughts on Creating a Robust and Compliant ISO 27001 Statement of Applicability

          The Statement of Applicability isn’t just a box to tick. It’s your ISMS’s best friend for the long haul. From risk assessment to stakeholder validation, the SoA is pivotal to your organisation’s security.

          You’ll need to:

          • Identify assets and potential threat origin points
          • Get stakeholders involved from the start
          • Evaluate risks and assign controls from Annex A
          • Justify these decisions and any exclusions
          • Conduct regular audits and reviews
          • Make necessary changes and refine your SoA
          • Manage ongoing compliance

          By leveraging Compleye’s automated tools and templates, you can streamline the process and perfect your SoA (for the moment, at least), ensuring ongoing compliance and adaptability.

          All that’s left to do is get writing, and you’ll be one step closer to ISO 27001 compliance.


          Table of Contents

          Compliance Platform for Tech Companies

          All-in-One DIY Compliance Platform to help tech businesses towards their ISO 27001, ISO 9001, or SOC-2 certification and stronger performance on privacy and security. Ready?