PCG logo
Article

SoA ISO 27001: Statement of Applicability Explained (Incl. Free Template)

What is the SoA ISO 27001 (Statement of Applicability) and Why Is It Important?

The Statement of Applicability (SoA) according to ISO 27001 is a key document within an Information Security Management System (ISMS). It lists all security controls from Annex A of the ISO 27001 standard, indicating which ones apply to the organization and explaining reasons for exclusions.

The SoA is mandatory for ISO 27001 certification and serves as the basis for internal and external audits. Errors in this document can result in certification denial, making structured creation and maintenance essential. A clear SoA provides transparency about implemented security measures and helps auditors understand your organization's security posture. Additionally, a well-documented SoA facilitates effective communication with stakeholders and partners.

Structure & Contents of an SoA ISO 27001

A complete SoA document should contain:

  • List of all ISO 27001 controls from Annex A: Access controls, cryptography, asset management, security awareness, and training.
  • Relevance assessment: Which controls are applicable to the organization and why?
  • Justification for exclusions: Logical explanations if certain controls are excluded.
  • References to internal documents: Policies, processes, or technical implementations.
  • Approval and accountability: Clearly define who is responsible and when the SoA was last updated.
  • Additional notes: Record changes, planned security measures, and potential improvements.

Download a Free SoA ISO 27001 Template

Ready to create your Statement of Applicability quickly and professionally? Use our proven and free SoA template, specifically designed for ISO 27001:

➡️ Download your free SoA ISO 27001 Template hereExternal Link

A well-structured SoA helps organizations transparently document security measures, significantly improving audit readiness. Thoughtful selection and justification of controls reduce audit risks, ensuring auditors identify fewer issues or security gaps.

Common Mistakes & Misunderstandings about the SoA ISO 27001

Many organizations make critical mistakes when creating their SoA:

  • ❌ Missing or unclear justification for applicable or excluded controls.
  • ❌ Outdated SoA versions, causing issues during audits.
  • ❌ Poor integration with internal policies, making the document incomplete.
  • ❌ Generic or copied templates that are not tailored to specific organizational needs.
  • ❌ Lack of alignment with other ISMS documentation, leading to contradictions.

Best Practices for Creating an Effective SoA ISO 27001

Consider these best practices to create a helpful, audit-compliant SoA:

  • ✔ Regular Review & Updates: Review and adjust the SoA at least annually and after significant ISMS changes.
  • ✔ Clear Justification for Each Control: Provide clear rationale for applying or excluding security measures to satisfy auditors.
  • ✔ Link to Risk Assessment: Measures documented in the SoA should derive directly from your organization's risk assessment.
  • ✔ Involve Relevant Stakeholders: Engage IT security officers, data protection officers, and management when creating the SoA.
  • ✔ Utilize Templates & Automation: Efficiently manage and document the SoA using suitable tools and methods.

Get Started Now: Achieve ISO 27001 Certification Effortlessly

Need support implementing your ISO 27001 project? ISO 27001 projects can be complex, especially when identifying the right controls, optimizing processes, and efficiently meeting compliance requirements.

Our approach enables quick, structured implementation with 70% less manual effort—from gap analysis and risk management to certification readiness. Learn how to complete your ISO 27001 project in just 3–6 months:

Learn more hereExternal Link


Continue Reading

Article
Microsoft Cloud Governance – Managing Rules, Policies, and Risks

The Seventh Step to a Successful Migration with the Microsoft Cloud Adoption Framework

Learn more
Article
Microsoft Cloud Operations: Successful Management After Migration

Professional Azure Cloud Operations: Define responsibilities, monitor proactively, automate with IaC and implement FinOps to optimize costs, security and performance after migration.

Learn more
Case Study
Software
LeaseHub leverages PCG AIHub to increase customer service reps productivity

LeaseHub decided to support their customer service rep with the PCG GenAI hub so that customer service reps can handle more cases with more efficiency.

Learn more
Case Study
Retail
From established structures to a future-proof cloud landscape

TB International used PCG to transform its system landscape into a modern, scalable cloud architecture – the basis for innovation, new business models and the rapid connection of external services.

Learn more
See all

Let's work together

United Kingdom
Arrow Down