The Most Important Document in Your ISMS
The Statement of Applicability is often described as the single most important document in an ISO 27001 Information Security Management System, and for good reason. It provides a comprehensive summary of every Annex A control, your decision about whether each control is applicable to your organization, the justification for that decision, and the current implementation status. Auditors use the SoA as their primary roadmap during certification audits, and it serves as the central reference point that connects your risk assessment to your actual security controls.
Despite its importance, the SoA is one of the documents that organizations most frequently get wrong. Common mistakes include treating it as a simple checkbox exercise, providing insufficient justification for control exclusions, failing to keep it current as the ISMS evolves, and not aligning it properly with the risk assessment results. This guide helps you create a SoA that meets audit requirements and serves as a genuinely useful management tool.
SoA Structure and Required Elements
Your Statement of Applicability must include several elements for each of the 93 Annex A controls. The control reference number and name identify which control is being addressed. The applicability decision states whether the control is included or excluded from your ISMS. The justification explains why the control is applicable or not applicable based on your risk assessment, legal requirements, contractual obligations, or business needs. The implementation status describes whether the control is fully implemented, partially implemented, planned, or not started. The implementation description provides a brief explanation of how the control is implemented in your specific environment.
Organize your SoA following the four-theme structure of the 2022 version: Organizational controls (A.5), People controls (A.6), Physical controls (A.7), and Technological controls (A.8). This structure aligns with the standard and makes navigation intuitive for auditors and internal stakeholders.
Linking the SoA to Your Risk Assessment
The SoA must be traceable to your risk assessment and risk treatment plan. For each applicable control, you should be able to demonstrate which risks the control addresses and how the control was selected as part of your risk treatment process. This traceability ensures that your control selections are risk-driven rather than arbitrary and provides auditors with confidence that your ISMS is built on a solid foundation.
Controls may be included for reasons beyond the risk assessment alone. Legal and regulatory requirements, contractual obligations, and organizational best practices can all justify the inclusion of controls even if the risk assessment alone would not require them. Document these additional justifications alongside the risk-based rationale to provide a complete picture of why each control is part of your ISMS.
For excluded controls, provide substantive justifications that demonstrate thoughtful consideration. Simply stating that a control is not applicable is insufficient. Explain why the control does not address risks relevant to your organization, why the technology or activity it protects is not present in your environment, or why alternative controls adequately address the underlying risk. Auditors will probe weak or generic exclusion justifications.
Best Practices for SoA Development
Involve control owners in developing the SoA content for their respective areas. The IT manager is best positioned to describe how technological controls are implemented, while the HR manager can provide accurate descriptions of people controls. Centralizing SoA development with a single author who lacks detailed knowledge of every area often results in generic or inaccurate descriptions.
Be specific in your implementation descriptions. Rather than stating that access control is implemented through access management procedures, describe how access control is implemented through Active Directory group policies, role-based access assignments approved by department managers, and quarterly access reviews conducted by system owners. Specific descriptions demonstrate genuine implementation and reduce auditor questions.
Maintain version control and a change history for your SoA. The document will evolve as your ISMS matures, risks change, and controls are implemented or modified. Version tracking ensures that you can demonstrate the progression of your ISMS and provides auditors with confidence that the document is actively managed.
Review and update the SoA at least annually and whenever significant changes affect your control environment. Trigger events include new risk assessment results, organizational changes, new systems or services, security incidents that reveal control gaps, and changes to legal or contractual requirements.
Common SoA Mistakes to Avoid
The most frequent mistake is making all 93 controls applicable without genuine consideration of each control’s relevance. While most controls will be applicable to most organizations, blindly including every control suggests that the SoA was not developed through a genuine risk-driven process. Auditors may question whether your risk assessment truly informed your control selections.
Another common mistake is providing implementation descriptions that describe what should happen rather than what actually happens. The SoA should reflect your current reality, including any controls that are only partially implemented. Overstating your implementation creates credibility problems during audits when the assessor finds that actual practices do not match the SoA descriptions.
Failing to update the SoA after changes to your environment is a maintenance mistake that accumulates over time. When you deploy new systems, implement new controls, or modify existing ones, the SoA must be updated to reflect these changes. An outdated SoA undermines audit confidence and may result in nonconformities.
At Easy Compliances, our ISO 27001 compliance toolkit includes a professionally designed SoA template pre-populated with all 93 controls from the 2022 version. The template includes guidance notes for each control, example justifications, and implementation description frameworks that help you create a comprehensive and audit-ready SoA efficiently.