Office hours · 09:00–18:00 IST info@abscerts.com
+91 96257 76771 +91 97925 86202 EN · 40+ countries
ISO 27001Statement of ApplicabilityInformation Security

What is a Statement of Applicability (SoA)?

ABS Certifications 5 min read

ISO 27001 Statement of Applicability documentation

The Statement of Applicability (SoA) is a mandatory requirement of ISO 27001 and one of the most important documents in an Information Security Management System (ISMS). It is how an organisation demonstrates which controls apply to it — and how.

Definition and purpose

The SoA is the document that sets out the controls selected to address the information security risks identified during risk assessment. It acts as a roadmap, showing which Annex A controls apply to the organisation and how they are implemented.

What it typically contains

  1. Scope — the boundaries of the ISMS within the organisation
  2. Summary of controls — the selected controls and why they are relevant
  3. Rationale — justification for including or excluding each control, based on the risk assessment and organisational context
  4. Implementation status — whether each control is implemented, partially implemented or pending
  5. Dependencies — relationships between controls and organisational processes
  6. Review and approval — documented stakeholder sign-off

A living document

The SoA is dynamic — it evolves as the organisation’s risk profile changes, and is updated as part of ISMS maintenance when new threats emerge. In the standard, it sits at clause 6.1.3 (within 6.1, addressing risks and opportunities) and is benchmarked against the Annex A control objectives. It is mandatory documentation presented to external auditors during the ISMS audit.

Why it matters

A well-maintained SoA delivers several benefits:

  • Clear documentation of which controls are relevant and necessary
  • Customisation of controls to the organisation’s needs and risk environment
  • Transparency and accountability over what is and isn’t implemented, and why
  • Risk-management alignment between identified risks and the controls addressing them
  • Continuous improvement, through regular review of control effectiveness
  • Compliance verification during internal and external audits
  • Demonstrated due diligence in managing security and meeting legal, regulatory and contractual obligations

In short

The Statement of Applicability brings clarity, transparency and alignment to how information security controls are implemented under ISO/IEC 27001 — which is exactly why auditors look to it first.

Keep reading

More from the blog

29 April 2026 ISO 14001:2026: What Has Actually Changed (and Why It Matters Now) 31 July 2024 Phishing Simulation — A Simple Yet Powerful Tool Against Cyberthreats 17 June 2024 The ISO 27000 Family of Standards

Get started

Ready to get certified?

Get a free, fixed-price quote within one business day. No obligation, no sales pressure, no follow-up spam — just a clear path to certification.

Book a 30-min consultation
24-hour response time Fixed price, multi-currency IAS / IAF accredited 40+ countries served

Before you go — let us help

Drop your details and we'll send a free certification roadmap tailored to your business. No spam, ever.

By submitting, you agree to ABS's privacy policy. We never share your details.