PCG logo
Article

SoA ISO 27001: Statement of Applicability Explained (Incl. Free Template)

What is the SoA ISO 27001 (Statement of Applicability) and Why Is It Important?

The Statement of Applicability (SoA) according to ISO 27001 is a key document within an Information Security Management System (ISMS). It lists all security controls from Annex A of the ISO 27001 standard, indicating which ones apply to the organization and explaining reasons for exclusions.

The SoA is mandatory for ISO 27001 certification and serves as the basis for internal and external audits. Errors in this document can result in certification denial, making structured creation and maintenance essential. A clear SoA provides transparency about implemented security measures and helps auditors understand your organization's security posture. Additionally, a well-documented SoA facilitates effective communication with stakeholders and partners.

Structure & Contents of an SoA ISO 27001

A complete SoA document should contain:

  • List of all ISO 27001 controls from Annex A: Access controls, cryptography, asset management, security awareness, and training.
  • Relevance assessment: Which controls are applicable to the organization and why?
  • Justification for exclusions: Logical explanations if certain controls are excluded.
  • References to internal documents: Policies, processes, or technical implementations.
  • Approval and accountability: Clearly define who is responsible and when the SoA was last updated.
  • Additional notes: Record changes, planned security measures, and potential improvements.

Download a Free SoA ISO 27001 Template

Ready to create your Statement of Applicability quickly and professionally? Use our proven and free SoA template, specifically designed for ISO 27001:

➡️ Download your free SoA ISO 27001 Template hereExternal Link

A well-structured SoA helps organizations transparently document security measures, significantly improving audit readiness. Thoughtful selection and justification of controls reduce audit risks, ensuring auditors identify fewer issues or security gaps.

Common Mistakes & Misunderstandings about the SoA ISO 27001

Many organizations make critical mistakes when creating their SoA:

  • ❌ Missing or unclear justification for applicable or excluded controls.
  • ❌ Outdated SoA versions, causing issues during audits.
  • ❌ Poor integration with internal policies, making the document incomplete.
  • ❌ Generic or copied templates that are not tailored to specific organizational needs.
  • ❌ Lack of alignment with other ISMS documentation, leading to contradictions.

Best Practices for Creating an Effective SoA ISO 27001

Consider these best practices to create a helpful, audit-compliant SoA:

  • ✔ Regular Review & Updates: Review and adjust the SoA at least annually and after significant ISMS changes.
  • ✔ Clear Justification for Each Control: Provide clear rationale for applying or excluding security measures to satisfy auditors.
  • ✔ Link to Risk Assessment: Measures documented in the SoA should derive directly from your organization's risk assessment.
  • ✔ Involve Relevant Stakeholders: Engage IT security officers, data protection officers, and management when creating the SoA.
  • ✔ Utilize Templates & Automation: Efficiently manage and document the SoA using suitable tools and methods.

Get Started Now: Achieve ISO 27001 Certification Effortlessly

Need support implementing your ISO 27001 project? ISO 27001 projects can be complex, especially when identifying the right controls, optimizing processes, and efficiently meeting compliance requirements.

Our approach enables quick, structured implementation with 70% less manual effort—from gap analysis and risk management to certification readiness. Learn how to complete your ISO 27001 project in just 3–6 months:

Learn more hereExternal Link


Continue Reading

Article
ISO 27001 PDF Download: Your Guide for Successful Certification

Download your free ISO 27001 Quick Start Guide. Step-by-step instructions, real audit questions & checklists tailored for SaaS, startups & SMEs!

Learn more
Article
ISO 27001:2022 – The Latest Version with 11 new Controls

Explore key updates in ISO 27001:2022. Detailed overview of 11 new controls, comparison with ISO 27001:2013, and practical steps.

Learn more
Article
ISO 27001 Certification Costs: What’s Realistic?

Discover real ISO 27001 certification costs. Learn strategies to effectively reduce your certification costs!

Learn more
Article
ISMS ISO 27001: Explained Simply

Comprehensive guide to ISO 27001 ISMS. Step-by-step instructions for implementation, avoiding common pitfalls, and quickly achieving audit readiness!

Learn more
See all

Let's work together

United Kingdom
Arrow Down