What is the SoA ISO 27001 (Statement of Applicability) and Why Is It Important?
The Statement of Applicability (SoA) according to ISO 27001 is a key document within an Information Security Management System (ISMS). It lists all security controls from Annex A of the ISO 27001 standard, indicating which ones apply to the organization and explaining reasons for exclusions.
The SoA is mandatory for ISO 27001 certification and serves as the basis for internal and external audits. Errors in this document can result in certification denial, making structured creation and maintenance essential. A clear SoA provides transparency about implemented security measures and helps auditors understand your organization's security posture. Additionally, a well-documented SoA facilitates effective communication with stakeholders and partners.
Structure & Contents of an SoA ISO 27001
A complete SoA document should contain:
- List of all ISO 27001 controls from Annex A: Access controls, cryptography, asset management, security awareness, and training.
- Relevance assessment: Which controls are applicable to the organization and why?
- Justification for exclusions: Logical explanations if certain controls are excluded.
- References to internal documents: Policies, processes, or technical implementations.
- Approval and accountability: Clearly define who is responsible and when the SoA was last updated.
- Additional notes: Record changes, planned security measures, and potential improvements.
Download a Free SoA ISO 27001 Template
Ready to create your Statement of Applicability quickly and professionally? Use our proven and free SoA template, specifically designed for ISO 27001:
➡️ Download your free SoA ISO 27001 Template here
A well-structured SoA helps organizations transparently document security measures, significantly improving audit readiness. Thoughtful selection and justification of controls reduce audit risks, ensuring auditors identify fewer issues or security gaps.
Common Mistakes & Misunderstandings about the SoA ISO 27001
Many organizations make critical mistakes when creating their SoA:
- ❌ Missing or unclear justification for applicable or excluded controls.
- ❌ Outdated SoA versions, causing issues during audits.
- ❌ Poor integration with internal policies, making the document incomplete.
- ❌ Generic or copied templates that are not tailored to specific organizational needs.
- ❌ Lack of alignment with other ISMS documentation, leading to contradictions.
Best Practices for Creating an Effective SoA ISO 27001
Consider these best practices to create a helpful, audit-compliant SoA:
- ✔ Regular Review & Updates: Review and adjust the SoA at least annually and after significant ISMS changes.
- ✔ Clear Justification for Each Control: Provide clear rationale for applying or excluding security measures to satisfy auditors.
- ✔ Link to Risk Assessment: Measures documented in the SoA should derive directly from your organization's risk assessment.
- ✔ Involve Relevant Stakeholders: Engage IT security officers, data protection officers, and management when creating the SoA.
- ✔ Utilize Templates & Automation: Efficiently manage and document the SoA using suitable tools and methods.
Get Started Now: Achieve ISO 27001 Certification Effortlessly
Need support implementing your ISO 27001 project? ISO 27001 projects can be complex, especially when identifying the right controls, optimizing processes, and efficiently meeting compliance requirements.
Our approach enables quick, structured implementation with 70% less manual effort—from gap analysis and risk management to certification readiness. Learn how to complete your ISO 27001 project in just 3–6 months: