PCG logo
Article

SoA ISO 27001: Statement of Applicability Explained (Incl. Free Template)

What is the SoA ISO 27001 (Statement of Applicability) and Why Is It Important?

The Statement of Applicability (SoA) according to ISO 27001 is a key document within an Information Security Management System (ISMS). It lists all security controls from Annex A of the ISO 27001 standard, indicating which ones apply to the organization and explaining reasons for exclusions.

The SoA is mandatory for ISO 27001 certification and serves as the basis for internal and external audits. Errors in this document can result in certification denial, making structured creation and maintenance essential. A clear SoA provides transparency about implemented security measures and helps auditors understand your organization's security posture. Additionally, a well-documented SoA facilitates effective communication with stakeholders and partners.

Structure & Contents of an SoA ISO 27001

A complete SoA document should contain:

  • List of all ISO 27001 controls from Annex A: Access controls, cryptography, asset management, security awareness, and training.
  • Relevance assessment: Which controls are applicable to the organization and why?
  • Justification for exclusions: Logical explanations if certain controls are excluded.
  • References to internal documents: Policies, processes, or technical implementations.
  • Approval and accountability: Clearly define who is responsible and when the SoA was last updated.
  • Additional notes: Record changes, planned security measures, and potential improvements.

Download a Free SoA ISO 27001 Template

Ready to create your Statement of Applicability quickly and professionally? Use our proven and free SoA template, specifically designed for ISO 27001:

➡️ Download your free SoA ISO 27001 Template hereExternal Link

A well-structured SoA helps organizations transparently document security measures, significantly improving audit readiness. Thoughtful selection and justification of controls reduce audit risks, ensuring auditors identify fewer issues or security gaps.

Common Mistakes & Misunderstandings about the SoA ISO 27001

Many organizations make critical mistakes when creating their SoA:

  • ❌ Missing or unclear justification for applicable or excluded controls.
  • ❌ Outdated SoA versions, causing issues during audits.
  • ❌ Poor integration with internal policies, making the document incomplete.
  • ❌ Generic or copied templates that are not tailored to specific organizational needs.
  • ❌ Lack of alignment with other ISMS documentation, leading to contradictions.

Best Practices for Creating an Effective SoA ISO 27001

Consider these best practices to create a helpful, audit-compliant SoA:

  • ✔ Regular Review & Updates: Review and adjust the SoA at least annually and after significant ISMS changes.
  • ✔ Clear Justification for Each Control: Provide clear rationale for applying or excluding security measures to satisfy auditors.
  • ✔ Link to Risk Assessment: Measures documented in the SoA should derive directly from your organization's risk assessment.
  • ✔ Involve Relevant Stakeholders: Engage IT security officers, data protection officers, and management when creating the SoA.
  • ✔ Utilize Templates & Automation: Efficiently manage and document the SoA using suitable tools and methods.

Get Started Now: Achieve ISO 27001 Certification Effortlessly

Need support implementing your ISO 27001 project? ISO 27001 projects can be complex, especially when identifying the right controls, optimizing processes, and efficiently meeting compliance requirements.

Our approach enables quick, structured implementation with 70% less manual effort—from gap analysis and risk management to certification readiness. Learn how to complete your ISO 27001 project in just 3–6 months:

Learn more hereExternal Link


Continue Reading

Article
Cloud Security
Mastering Cloud Security Insights, Frameworks, and Best Practices

A concise overview of cloud security, covering principles, compliance, threat detection and platform strategies, offering insights to help organizations build robust, flexible and secure practices for modern challenges.

Learn more
Article
AI
How Generative AI Is Powering Real Business Impact

A comprehensive look at how Generative AI is being applied to real business challenges, with practical examples from customer engagement, data analysis, and retail optimization.

Learn more
Case Study
Strategic Atlassian Managed Hosting Partnership

Prepend teamed up with PCG to offer expert consulting on top of PCG’s secure, high-performance Atlassian Managed Hosting.

Learn more
Case Study
Consulting
Simplifying Complex Services: AI in Action at SIMT

A North Macedonian IT company modernised its operations using AWS-based AI agents developed by PCG, streamlining consulting, document processing, and customer support workflows.

Learn more
See all

Let's work together

United Kingdom
Arrow Down