What is the statement of applicability for ISO 27001?

When researching what you need for the ISO 27001 certification, you may have stumbled upon the term ‘statement of applicability’.

Confused? Don’t worry. We’ve done the hard work for you – here’s what the ISO 27001 statement of applicability is and why it’s important.

What is the statement of applicability for ISO 27001?

The statement of applicability is part of the risk assessment and information security management system (ISMS) component of ISO/IEC 27001. It’s a framework of policies surrounding your cyber security systems’ legality, physicality, and technicality.

Completing the statement of applicability (SoA) is a requirement of the ISO/IEC: a document you must develop, prepare, and submit as part of your step toward best practices regarding your data management systems.

What controls must you implement in the statement of applicability for ISO 27001?

There are no exact rules for developing your statement of applicability as ISO 27001 recognises that details of cyber security are unique to your business requirements. However, you must include the following:

1. An explanation of the elements of the security controls you’ve chosen to mitigate risks and a justification for why you’ve included them. These are decided through performing a gap analysis and risk assessment in the starting stages of your ISO/IEC 27001
2. If you’ve excluded any part of ISO/IEC 27001’s Annex A, which lists 114 control objectives and explains what they are, what they do, and why.

Why is the statement of applicability for ISO 27001 important?

1. Your statement of applicability is your roadmap to smooth and effective ISO 27001 implementation and operation. It’s a comprehensive document that identifies and categorises elements of your information security measures by product, department, and other criteria.
2. In ISO certifications, documentary evidence is crucial. Your statement of applicability provides physical proof to your auditor that you have taken the necessary steps to achieve your ISO 27001
3. Your statement of applicability assists in the continual improvement of your digital security as it gives you a framework to be able to compare what’s working and what’s not. It will then give you a scope in which to update.
4. If a data breach occurs, the controls you put into place will be justified. Your compliance will be proven, giving you confidence in your next steps.

Want to know more about the statement of applicability for ISO 27001?

If you’re looking for advice on ISO/IEC 27001, our experts are happy to answer any further questions you have. You can read our frequently asked questions about ISO 27001 or get in touch with us to learn more on how to get ISO 27001 certified.