Unfortunately, many professionals still view the Statement of Applicability (SoA) as a purely administrative document—a table created simply for auditors. However, this misconception can undermine both information security and the effectiveness of an Information Security Management System (ISMS).
When an SoA is missing or poorly structured, organizations face an increased risk of losing visibility over their security controls. This can result in unmanaged risks, overlooked security requirements, and ultimately vulnerabilities that expose critical information assets.
In this article, we will explore what the Statement of Applicability is, why it is important, and how it serves as a practical management tool that extends far beyond certification requirements.
What Is a Statement of Applicability (SoA)?
SoA stands for Statement of Applicability, a mandatory documented information requirement within ISO/IEC 27001.
Its primary purpose is to identify which security controls from Annex A have been selected by the organization and to justify their inclusion or exclusion.
The current version of ISO/IEC 27001 includes 93 controls organized into four categories:
- Organizational controls
- People controls
- Physical controls
- Technological controls
These controls provide a comprehensive framework for managing information security risks. However, not every control is applicable to every organization.
The SoA acts as a strategic roadmap that clearly identifies:
- Which controls are applicable
- Which controls are not applicable
- The justification for each decision
- How controls are implemented
- The relationship between controls and identified information security risks
Because of its role in linking risks to controls, the SoA is considered one of the most important documents within an ISMS.
Is the Statement of Applicability Exclusive to ISO/IEC 27001?
From a certification perspective, yes. The SoA is a mandatory requirement specifically within ISO/IEC 27001.
However, the underlying concept of documenting applicability can be valuable across many management systems.
Organizations frequently determine that certain requirements or controls are not relevant to their specific context. The logic used within the SoA—documenting applicability decisions and their justification—can serve as a useful model for other management system frameworks.
In this sense, the Statement of Applicability represents more than a compliance document. It is a structured method for demonstrating the relationship between organizational risks, requirements, and management decisions.
Typical Structure of a Statement of Applicability
The SoA is a living document that evolves alongside the organization’s risk landscape and management system.
While ISO/IEC 27001 does not prescribe a specific format, most Statements of Applicability include information such as:
- Annex A control reference
- Control title
- Applicability status
- Justification for applicability or exclusion
- Implementation status
- Implementation evidence
Many organizations also include additional fields, such as:
- Control owner
- Control maturity level
- Related risks
- Associated performance indicators
- Audit observations
- Additional comments
The format itself is less important than the document’s ability to provide a clear and accurate representation of the organization’s security control environment.
How the SoA Supports Daily Operations
The Statement of Applicability ensures that selected security controls are directly aligned with the organization’s actual risks.
By centralizing decisions, justifications, and implementation evidence, the SoA creates greater transparency and consistency throughout the organization.
It also helps stakeholders from different functions—including information security, IT, compliance, executive leadership, and auditors—maintain a shared understanding of how security risks are managed.
As a result, the SoA becomes much more than a certification artifact. It serves as a practical reference for:
- Security decision-making
- Risk treatment activities
- Control implementation priorities
- Responsibility assignments
- Audit preparation
- Continuous improvement initiatives
Organizations can also use the document to identify gaps, evaluate control coverage, and prioritize future improvements.
Statement of Applicability: Connecting the “What” and the “Why”
In simple terms, ISO/IEC 27001 defines what needs to be managed, while the Statement of Applicability explains which controls have been selected and, more importantly, why they have been selected.
This makes the SoA one of the most valuable documents within an Information Security Management System.
Rather than serving merely as a compliance requirement, it creates a direct connection between risks, controls, business decisions, and organizational strategy.
When properly developed, the SoA becomes a strategic compass for the ISMS. It guides organizations toward logical, risk-based, and context-appropriate security decisions.
In today’s environment of constantly evolving cyber threats, understanding the rationale behind each security control can be the difference between a robust management system and a collection of disconnected security measures.
Ultimately, the Statement of Applicability transforms information security from a checklist exercise into a structured and purposeful management practice.
