Skip to main content

Understanding the Statement of Applicability (SoA) for Purposes of ISO/IEC 27001?

An SoA (Statement of Applicability) for ISO 27001 is a document that identifies the controls specified in the ISO 27001 standard and outlines how they are implemented within an organization. It is a crucial component of the Information Security Management System (ISMS) and provides a comprehensive overview of the security controls applicable to the organization's information assets.

While ISO 27001 defines the requirements for establishing, implementing, maintaining, and continually improving an ISMS, the SoA specifically focuses on control implementation. The SoA helps organizations demonstrate their commitment to information security and provides a basis for risk management decisions.

Here's a general structure and content that can be included in an SoA for ISO 27001:

Introduction:

  • Purpose and scope of the SoA.
  • Explanation of the relationship between the SoA and the organization's ISMS.

Control Objectives and Controls:

  • List of control objectives derived from the Annex A of ISO 27001.
  • Identification and description of controls implemented to address each control objective.
  • Explanation of how the controls meet the organization's specific security needs.

Control Implementation:

  • Description of the implementation status of each control.
  • Description of the ISMS policies and procedures in place for the Annex A controls.
  • Identification of the control implementation method (e.g., fully implemented, partially implemented, not applicable).
  • Explanation of any additional controls implemented beyond those specified in ISO 27001.

Justification for Exclusions:

  • If any controls specified in ISO 27001 are considered not applicable, a justification for their exclusion should be provided.
  • The rationale for excluding specific controls should be documented based on the required ISO/IEC 27001 risk assessment performed and risk treatment decisions.

Mapping to Risks:

  • Linking of each control to the risks or threats it addresses.
  • Explanation of how the controls mitigate or reduce identified risks.

Compliance and Verification:

  • Explanation of the processes used to verify the effectiveness of the implemented controls.
  • Documentation of compliance with legal, regulatory, and contractual requirements related to information security.

Review and Approval:

  • Identification of the responsible parties involved in the review and approval process.
  • Signatures and dates of approval by relevant management stakeholders.

It's important to note that the exact content and structure of an SoA can vary depending on the organization's specific context, industry, and information security requirements. Need assistance with developing your very own SoA for ISO/IEC 27001 certification? Talk to MorganHill today.


Download our comprehensive, in-depth ISMS 27001 Statement of Applicability (SoA) Workbook as required by ISO/IEC 27001:2002 - 6.1.3 for helping organizations fully document all required information for an SoA. 

Talk to MorganHill today and Get the Answers You Need

Scope: We'll help you define important scoping parameters.

Documentation: We'll help you develop all required policies and procedures.

Guidance: We'll guide you through the ISO/IEC process from start to finish.

One Price: Our fees for all services are fixed.

Wherever you are in North America, Europe, Africa, or Asia, MorganHill is ready to assist.

Expertise: Since 2006, we have been an industry leader for ISO/IEC.

Knowledge: We've worked with every ISO/IEC standard currently in print.

Industry: We've worked in every major industry/sector.

Invalid Input
Invalid Input
Invalid Input
Invalid Input
Invalid Input

Four months after completing all necessary pre-certification work, the organization obtained ISO/IEC 27001 certification from an accredited ISO ANAB body that we recommend to them.

Obtained ISO 27001 certification from an accredited ISO ANAB body that I recommend to them.

Four months after completing all necessary pre-certification work, the organization obtained ISO 27001 certification from an accredited ISO ANAB body that we recommend to them.

Three months after completing all necessary pre-certification work, the organization obtained ISO/IEC 27001 certification from an accredited ISO ANAB body that we recommend to them.