How to Develop a Statement of Applicability: Step-by-Step Guide

The ISO Statement of Applicability (SoA) is central to achieving ISO certification. This document becomes the point of reference through which external parties assess your adherence to the ISO standard. ISO/IEC 27001:2022 strongly emphasizes documentation and requires a list of mandatory documents. The SoA is not mandatory but is required in most, if not all, cases of ISO 27001 certification. That’s because all the Annex A controls outlined in ISO 27001:2022 rarely apply to a given organization.

The SoA is a document that lists why specific controls were implemented and why other controls weren’t. It justifies the inclusion or exclusion of Annex A controls and demonstrates a deliberate, informed approach to security. Read on as we explore this document and discuss what should be included. 

Key Components and Purpose

According to Clause 6.1.3 (d): organizations are required to produce an SoA ISO 27001 that contains: 

1. The necessary controls
2. Justification for their inclusion 
3. Implementation status
4. Justification for excluding any Annex A controls

Why the SoA Matters

The SoA document is frequently encountered during ISO 27001 audits and stakeholder interactions. Its significance lies in:

• Providing transparency
• Demonstrating compliance
• Guiding risk management

Crafting Your SoA: A Step-by-Step Guide

1. Define Scope

Provide specifics regarding the areas of the organization that will be subject to the ISO standard’s application. This is significant because not all departments or procedures will be included.

2. Carry out a Risk Assessment

Conduct a risk assessment of the information security risk unique to your firm. Select an appropriate technique, taking into consideration elements such as probability, impact, and risk acceptance criteria.

3. Select Controls

Select the particular controls or measures that will be implemented to demonstrate compliance with the ISO criteria. These may take the form of rules, procedures, technology, or any mix of these that the company deems appropriate.

4. Explain the Exclusions

It should be abundantly clear whether specific requirements of the ISO standard do not apply to the company, and arguments should be provided. Due to the importance of this transparency, both internal understanding and external audits are essential.

5. Justify the Inclusions

The rationale behind including particular restrictions should be articulated clearly. You should provide evidence to support your conclusions, such as risk evaluations and SoA compliance concerns.

6. Document the Implementation Status

Note the current status of each control implementation, stating whether it is fully implemented, partially implemented, or not relevant.

How to Update Your SoA for ISO 27001:2022

Several key recommendations can be made for companies already holding ISO 27001:2013 certification and considering amending their SoA in light of the ISO 27001:2022 updates. Firstly, given that organizations can achieve certification to ISO 27001:2022, it is advisable to transition to the updated control set, taking advantage of the enhanced clarity, relevance, and guidance offered by the new controls in ISO 27002:2022.

The annex in ISO 27002:2022 facilitates a straightforward comparison between the controls of the 2022 version and the 2013 iteration of the standard. This comparison can be a valuable resource for companies aiming to update their SoA to align with the latest control set while recertifying against the previous standard.

Your Statement of Applicability (SoA) will likely be one of the first documents your auditor looks at. The 2022 version is structured differently than the 2013 version, and failure to update clauses and control numbers will indicate a faulty transition to the new ISO 27001 standard. 

The changes in the structure and wording of controls in ISO 27001:2022 necessitate careful review and adjustment of your SoA. Unlike the 2013 version, where each control section had an objective, the new version emphasizes individual control purposes. This shift requires organizations to reassess their control requirements based on these updated objectives. 

Guide to Updating Your SoA

To update your SoA effectively, consider the following SoA steps:

Review Changes

Familiarize yourself with the changes in control structure and wording between ISO 27001:2013 and ISO 27001:2022. Pay particular attention to how controls are now presented with distinct purposes rather than grouped under overarching objectives.

Assess Impact

Evaluate how these changes affect your existing control framework. Determine whether the revised control purposes align with your organization’s security needs and objectives. Utilize the attributes outlined in ISO 27002:2022 to help assess the suitability of each control.

Map Controls

Use tables provided in ISO 27002 to map new controls directly to their counterparts in the previous version. While some controls may have equivalent mappings, it’s essential to recognize that subtle differences in titling and wording may exist between the two versions.

Update SoA

Incorporate the findings of your review and assessment into your SoA. Ensure all control numbers, clauses, and descriptions are updated to reflect the changes introduced in ISO 27001:2022. Document any deviations or adjustments to align with your organization’s requirements.

Verification

Before finalizing your updated SoA, conduct a thorough verification process to ensure accuracy and completeness. Verify that each control is appropriately justified and aligned with your organization’s risk management framework.

Shortcut Guide to SoA

SoAS often entail exhaustive listings of Annex A controls, accompanied by detailed explanations for their inclusion or exclusion. However, the standard does not prescribe a specific format or structure for the SoA.

What if there’s a more straightforward, efficient way to craft your SoA? Let’s delve into a novel approach that challenges traditional methodologies, offering a streamlined alternative that makes perfect sense in today’s dynamic organizational landscape.

In a fascinating article, Chris Hall challenges the convention of listing all Annex A controls and explaining the justification for inclusion and exclusion. His argument stems from the foundational framework provided by ISO31000, a comprehensive guide to risk management recognized internationally. ISO31000, unlike ISO27001, does not prescribe the need for an SoA. If effective risk management can be achieved without an SoA, why is it indispensable in ISO27001?

The risk assessment process inherently addresses all applicable controls. Thus, a simple approach can be to use the risk assessment as a justification for including or excluding Annex A controls.  

The SoA can be treated as a standalone document rather than being directly linked to the findings of the risk assessment process.

To that end, we’ll present a minimalist guide to the ISO 27001 SoA. But we don’t take responsibility for auditor reaction (which may be extreme). They are not used to seeing this breed of SoAs.

A Minimalist Guide to Developing Your ISO 27001 Statement of Applicability

1. Justification for Inclusion and Exclusion

At the top of your SoA, provide a succinct statement for both inclusion and exclusion of controls:

• Inclusion: “All controls listed below are applicable/justified because they are named in the information risk assessment as necessary to manage one or more identified risks.”
• Exclusion of Annex A Controls: “Any controls not listed below (e.g., as in Annex A) are not applicable/not justified because they have not been identified as necessary to manage one or more identified risks.”

2. List of Applicable Controls

The SoA should include a list of controls apart from the introductory statements, usually in a table form. It should consist of the control identifier and control description. The description can be derived from the Annex A descriptions or outside sources for custom controls, e.g., NIST. 

3. Implementation Status

If not all controls are implemented, include an additional column stating whether they are “implemented” or “not implemented.” If all controls are implemented, a simple statement at the top suffices: “All controls listed below are implemented.”

Where To Start on ISO 27001:2022 Compliance

Transitioning to ISO 27001:2022 and updating your SoA can be difficult. 

And that’s where Centraleyes comes in.

With our platform, you can access Smartmapping, a feature that facilitates seamless alignment between standards like NIS2, NIS CSF, ISO 27001, and ISO 27002. Plus, – the 2022 versions of ISO 27001 and 27002 are live on the Centraleyes platform, with ample time to prepare for the October 2025 transition deadline!

But that’s not all. We’ve revamped our ISO 27001 questionnaire to equip your organization with everything necessary to ace the ISO 27001 audit. From comprehensive information on preparation requirements to ready-made ISMS policy templates for all potential policies and procedures, Centraleyes has you covered at every step.