The importance of the Statement of Applicability in ISO 27001

Documentation needs to be developed to support every planned control and component of your ISO 27001 information security management system (ISMS). This helps to ensure consistent application and continual improvement.

Creating documentation is the most time-consuming part of implementing an ISMS and can run into thousands of pages for more complex businesses.

Download our free green paper for more information on implementing ISO 27001.

What is the Statement of Applicability?

The Statement of Applicability (SoA) is one of the crucial, mandatory reports that you will need to produce for your ISO 27001 ISMS.

Under Clause 6.1.3, ISO/IEC 27001:2013 states that organisations must produce an SoA that:

  • Identifies the selected controls to address the identified risks;
  • Explains why these have been selected;
  • States whether or not these have been implemented; and
  • Explains why any ISO 27001 Annex A controls have been omitted.

The SoA will contain at least 114 entries, one for each Annex A control, each of which will include additional information about the control and ideally link to relevant documentation about the implementation of the control.

The SoA is a useful document for everyday operational use and provides a useful roadmap to your ISMS.

The SoA must be updated regularly in line with the continual improvement philosophy of ISO 27001:2013, and as evidence of improvements to controls or compliance requirements.

How to develop the Statement of Applicability

Developing the SoA can be daunting, but there are tools that can help.

The ISO 27001 ISMS Documentation Toolkit contains an easy-to-use tool to create your ISO 27001 SoA.

Statement of Applicability ISO 27001

Example of the SoA tool included in the ISO 27001 ISMS Documentation Toolkit


The toolkit also includes:

  • A complete set of easy-to-use, customisable and fully ISO 27001-compliant documentation templates that will save you time and money;
  • Easy-to-use dashboards and gap analysis tools to ensure complete coverage of the Standard; and
  • Direction and guidance from expert ISO 27001 practitioners.


Vigilant Software’s information security risk assessment tool, vsRisk™, is fully aligned with ISO 27001 and can generate six audit-ready reports, including the SoA and risk treatment plan.

vsRisk streamlines the information risk assessment process and helps you produce consistent, robust and reliable risk assessments year after year.


IT Governance’s ISO 27001 Online FastTrack™ Consultancy service provides a consultant to undertake a range of activities, including development of all ISMS documentation, to help you achieve ISO 27001 certification in just three months.