Back to Blog

Understanding the Statement of Applicability

March 10, 2026

ISO 27001

The Statement of Applicability is a critical document for ISO 27001. Learn what it contains and how to create one correctly.

What is the Statement of Applicability?

The Statement of Applicability (SoA) is one of the most important documents in your ISO 27001 implementation. It’s a list that identifies which security controls from Annex A your organization has chosen to implement—and which ones you’ve excluded and why.

Why is the SoA Important?

The SoA serves multiple purposes:

  1. Demonstrates scope - Shows exactly what your ISMS covers
  2. Justifies exclusions - Documents why certain controls don’t apply
  3. Guives auditors insight - Provides a roadmap for certification audits
  4. Helps with procurement - Shows customers your security commitments

How to Create Your SoA

Step 1: Review All Annex A Controls

ISO 27001 Annex A has 93 controls organized into 4 themes:

  • Organizational controls (0-15)
  • People controls (16-22)
  • Physical controls (23-28)
  • Technological controls (29-93)

Step 2: Conduct a Risk Assessment

Your risk assessment determines which controls are needed. For each control, consider:

  • What risks does this control address?
  • What would happen if we didn’t implement it?
  • Is the control relevant to our operations?

Step 3: Document Your Decisions

For each control, record one of four statuses:

StatusMeaning
ApplicableWe implement this control
Not applicableWe exclude this control (with justification)
Partially applicableWe implement with modifications
Out of scopeControl doesn’t apply to our ISMS scope

Step 4: Get Management Approval

Your SoA requires sign-off from top management. This demonstrates leadership commitment and ensures resources for implementation.

Common Mistakes to Avoid

  • Copying another company’s SoA - Your controls must match your specific risks
  • Excluding too many controls - Auditors will question extensive exclusions
  • Vague justifications - Be specific about why controls don’t apply
  • Forgetting to update - The SoA is a living document that changes with your organization

Example Justification for Exclusions

Control A.8.3.1 - Information deletion

Justification: Our organization does not store personal data on any systems. All data retention is handled by cloud service providers who maintain their own data deletion policies. Therefore, this control is not applicable to our ISMS scope.

Next Steps

Need help creating your Statement of Applicability? Our toolkit includes a complete SoA template with examples and guidance for each control.