What is the ISO 27001 Statement of Applicability SoA ?
The Statement of Applicability (SoA) is one of the core mandatory documents required by ISO/IEC 27001.
It contains a list of all 93 ISO 27001:2022 controls. The document shows:
* Which controls the organisation has selected
* Why they were selected
* Whether they are implemented or not implemented
* How they are being applied within the organisation
* A justification for inclusion or exclusion of each of the 93 controls listed in the document.
The SoA demonstrates how the organisation’s security controls align with its risks, business objectives, regulatory obligations, and operaional environment.
A properly maintained SoA is a governance document that provides visibility into the organisation’s actual control environment. It is not simply an Annex A checklist.
How to develop the SoA
Before developing the SoA, the organisation has to first conduct a risk assessment and have the risk assessment result documented.
After the risk assessment process:
Risks are identified and evaluated
The organisation decides how to treat the risks and document their decisions in a Risk Treatment Plan- RTP
The Risk Treatment Plan (RTP) may state- “Treat risk xxxxx using control A.8.xxx”. The RTP will show the status of each risk treatment decision – like – Not started, in progress, completed…….
After documenting your risk treatment plan, you can now develop your SoA. First you list out all the 93 controls on the first column. second column would state if each control is applicable, included or not. In the “applicable column, select “Yes” “No” or “NA”. The third column is the “justification” column where you have to state the justification for including or excluding each control. What this simply means is that you must provide a reason for choosing or not choosing the control.
There would also be a “status” column. This column would indicate if each control has been “implemented”, “planned” or “in progress” This column must align with your RTP. What this means is that the status of each control in your RTP should agree with the status of same control in your SoA. If a control status in your RTP shows “not started”, same control should be marked as “planned” in your SoA. In-progress = in-progress; “completed” = “implemented” respectively
Explaining the status of the controls in the SoA
Best practice is to mark SoA status for each control as-
Planned – if control is selected but not yet started
In Progress / Partially implemented – if implementation activities are ongoing and not yet completed
Implemented – if control is operational with supporting evidence
Not Implemented/ NA – if the control does not apply and not implemented
What Auditors want to see in your SoA
During both internal and certification audits, auditors rely heavily on the soa because it helps determine:
Which controls should exist
Which controls should be operating
Which controls require testing
Whether the ISMS is functioning as intended
The soa also helps auditors verify consistency between:
The risk assessment result
The Risk Treatment Plan (RTP)
Policies and procedures
Operational evidence of each control
Actual business practices
If the soa is inaccurate, outdated, or overly optimistic, it can create significant issues during audits.
Audit evidence / SoA control implementation evidence
If a control is marked as “Implemented,” there should be evidence demonstrating operational effectiveness.
Examples of operational evidence may include:
Configuration exports
Security monitoring logs
Access review records
Backup test results
Vulnerability scan reports
Security awareness training records
Change management tickets
Approved procedures
Screenshots of active security settings
Incident response testing results
Before a Stage 2 certification audit, certification bodies will expect evidence that controls are not only documented, but actually functioning within the environment. A control that exists only on paper is unlikely to satisfy audit expectations.
Needs support with ISO 27001 Implementation?
Book a free consultation or free assessment – https://cybermentors.co.uk/contact/
We support:
ISO 27001 new certification
Maintenance of existing ISO 27001 certification
ISO 27001 Gap analysis
ISO 27001 Maturity assessment
ISO 27001 Internal audits
ISO 27001 lead implementer training & certification
ISO 27001 lead Auditor training & certification
Looking to switch career to cyber security?
We have the best and most practical cybersecurity GRC training – view our course details here – https://cybermentors.co.uk/cybersecurity-grc-course/