Statement of Applicability
A key ISO 27001 document that lists all 93 Annex A controls and states whether each is applicable to the organization, along with justification for inclusion or exclusion and a description of how applicable controls are implemented.
The Statement of Applicability (SoA) is arguably the most important document in an ISO 27001 ISMS. It serves as the bridge between the risk assessment and the actual security controls in place. Every ISO 27001 certification audit will thoroughly review the SoA.
The SoA must address all 93 controls listed in ISO 27001:2022 Annex A. For each control, the document states whether it applies to the organization. If a control is applicable, the SoA describes how it is implemented. If a control is excluded, the SoA must provide a clear justification — typically that the risk it addresses is not relevant to the organization's scope. Auditors will challenge exclusions that seem unjustified.
Creating a thorough SoA requires a solid understanding of both the Annex A controls and the organization's actual security posture. It is not a document that can be copied from a template — it must reflect the specific risks, context, and controls of the organization. That said, the SoA is also a living document. As risks change and controls evolve, the SoA should be updated to reflect the current state of the ISMS.
Related frameworks
Related terms
Annex A
The appendix to ISO 27001 that contains a reference set of 93 information security controls organized into four themes: Organizational, People, Physical, and Technological. Organizations use Annex A as a checklist to ensure their ISMS addresses all relevant control areas.
Compliance Gap Analysis
A structured assessment that compares an organization's current security posture and practices against the requirements of a specific compliance framework. Gap analysis identifies areas where the organization falls short and helps prioritize remediation efforts.
Information Security Management System
A systematic framework of policies, processes, and controls that an organization establishes to manage and protect its information assets. An ISMS addresses people, processes, and technology to ensure the confidentiality, integrity, and availability of information.
Risk Assessment
A structured process for identifying, analyzing, and evaluating information security risks. Risk assessments determine the likelihood and potential impact of threats to an organization's information assets, guiding decisions about which controls to implement.
Assess your compliance posture
Run a free self-assessment for ISO 27001, SOC 2, GDPR, NIS2, or Tech DD and see exactly where you stand.
Start free assessment