PCG logo
Article

SoA ISO 27001: Statement of Applicability Explained (Incl. Free Template)

What is the SoA ISO 27001 (Statement of Applicability) and Why Is It Important?

The Statement of Applicability (SoA) according to ISO 27001 is a key document within an Information Security Management System (ISMS). It lists all security controls from Annex A of the ISO 27001 standard, indicating which ones apply to the organization and explaining reasons for exclusions.

The SoA is mandatory for ISO 27001 certification and serves as the basis for internal and external audits. Errors in this document can result in certification denial, making structured creation and maintenance essential. A clear SoA provides transparency about implemented security measures and helps auditors understand your organization's security posture. Additionally, a well-documented SoA facilitates effective communication with stakeholders and partners.

Structure & Contents of an SoA ISO 27001

A complete SoA document should contain:

  • List of all ISO 27001 controls from Annex A: Access controls, cryptography, asset management, security awareness, and training.
  • Relevance assessment: Which controls are applicable to the organization and why?
  • Justification for exclusions: Logical explanations if certain controls are excluded.
  • References to internal documents: Policies, processes, or technical implementations.
  • Approval and accountability: Clearly define who is responsible and when the SoA was last updated.
  • Additional notes: Record changes, planned security measures, and potential improvements.

Download a Free SoA ISO 27001 Template

Ready to create your Statement of Applicability quickly and professionally? Use our proven and free SoA template, specifically designed for ISO 27001:

➡️ Download your free SoA ISO 27001 Template hereExternal Link

A well-structured SoA helps organizations transparently document security measures, significantly improving audit readiness. Thoughtful selection and justification of controls reduce audit risks, ensuring auditors identify fewer issues or security gaps.

Common Mistakes & Misunderstandings about the SoA ISO 27001

Many organizations make critical mistakes when creating their SoA:

  • ❌ Missing or unclear justification for applicable or excluded controls.
  • ❌ Outdated SoA versions, causing issues during audits.
  • ❌ Poor integration with internal policies, making the document incomplete.
  • ❌ Generic or copied templates that are not tailored to specific organizational needs.
  • ❌ Lack of alignment with other ISMS documentation, leading to contradictions.

Best Practices for Creating an Effective SoA ISO 27001

Consider these best practices to create a helpful, audit-compliant SoA:

  • ✔ Regular Review & Updates: Review and adjust the SoA at least annually and after significant ISMS changes.
  • ✔ Clear Justification for Each Control: Provide clear rationale for applying or excluding security measures to satisfy auditors.
  • ✔ Link to Risk Assessment: Measures documented in the SoA should derive directly from your organization's risk assessment.
  • ✔ Involve Relevant Stakeholders: Engage IT security officers, data protection officers, and management when creating the SoA.
  • ✔ Utilize Templates & Automation: Efficiently manage and document the SoA using suitable tools and methods.

Get Started Now: Achieve ISO 27001 Certification Effortlessly

Need support implementing your ISO 27001 project? ISO 27001 projects can be complex, especially when identifying the right controls, optimizing processes, and efficiently meeting compliance requirements.

Our approach enables quick, structured implementation with 70% less manual effort—from gap analysis and risk management to certification readiness. Learn how to complete your ISO 27001 project in just 3–6 months:

Learn more hereExternal Link


Continue Reading

Case Study
Telecommunications
AI
Enhancing Call Center Performance with AI Voice Analysis

An informative case study presenting how a BPO tested AWS-based transcription and analysis to gain deeper insights into daily call performance.

Learn more
Article
Cloud Migration
The People Side of Cloud Migration

An article exploring the human side of cloud migration, focusing on skills gaps, cultural resistance, and change management strategies for small and mid-sized businesses.

Learn more
Case Study
Public Sector
AI
Education
Unlocking Scientific Knowledge: EKT’s AWS-Based AI Retrieval System

An insightful success story on how the Greek National Documentation Center enhanced research access and efficiency with an AWS-based AI system for scientific retrieval and Open Science support.

Learn more
Article
Cloud Migration
Seize the Opportunity to go Headless with Sanity CMS

A practical overview of why now is the ideal time to switch to a headless CMS, exploring business benefits, content modelling, and Sanity's free one-year offer for startups.

Learn more
See all

Let's work together

United Kingdom
Arrow Down