What is a statement of applicability?
A Statement of Applicability (SOA) is a key document in the world of information security management systems. It acts as a bridge between your organization’s policies and the practical controls you put in place to protect your data.
Think of it as a map that shows which security measures you have chosen to implement, which ones you have left out, and why. The SOA is not just a checklist. It is a living record that explains your decisions and demonstrates your commitment to managing risks.
This document is especially important if you are working towards compliance with standards like ISO 27001, where auditors will want to see clear evidence of your choices and reasoning. The SOA helps everyone in your organization understand what is expected and why certain controls matter more than others.
What does a statement of applicability include?
The SOA outlines each control from the relevant standard, such as ISO 27001, and states whether your organization has adopted it or not. For every control, the SOA provides a justification for its inclusion or exclusion.
This means you do not just tick boxes. You explain your thinking. The SOA also records the current status of each control, showing if it is fully implemented, partially in place, or still being worked on.
This level of detail helps keep your security efforts transparent and accountable. By reviewing the SOA regularly, you can track progress and make sure your controls stay up to date as your business changes.
Why is a statement of applicability important?
The SOA is more than just paperwork. It is proof that your organization has thought carefully about its risks and made informed decisions.
Auditors and stakeholders use the SOA to check that your security controls are not only present but also appropriate for your specific needs. This document builds trust, both inside and outside your company.
When everyone knows what controls are in place and why, it is easier to work together towards stronger security.
How is a Statement of Applicability used?
A Statement of Applicability is used as a living record that shows which security controls an organization has chosen to implement, and why. It acts as both a checklist and a justification tool, making it clear to auditors and stakeholders how the company meets information security requirements.
The SOA is not just a formality. It is referenced throughout the lifecycle of an information security management system, especially during audits and reviews. By mapping out which controls are in place and which are excluded, the Statement of Applicability helps organizations stay accountable and transparent.
Selecting and justifying controls
The first step in using a Statement of Applicability is selecting relevant controls from a standard like ISO 27001. Each control is reviewed to determine if it applies to the organization’s specific risks and business context.
For every control, the SOA records whether it is implemented or not, and provides a reason for each decision. This justification process is crucial, and it typically aligns with broader risk management tools used to document decisions and keep control selection consistent.
It prevents arbitrary choices and ensures that every control has a clear purpose. The SOA becomes a snapshot of the organization’s security posture, showing exactly why certain measures are in place and why others are not needed.
Demonstrating compliance during audit
When it comes time for an external or internal audit, the Statement of Applicability takes center stage. Auditors use the SOA as a roadmap to verify that the listed controls are actually in place and working as intended.
The document provides evidence that the organization has thought through its security needs and made informed decisions. If a control is marked as not applicable, the SOA’s justification helps auditors understand the reasoning.
This transparency streamlines the audit process and reduces the risk of misunderstandings or nonconformities, especially when requirements include governance expectations similar to those described in an AI policy.
Maintaining and updating the SOA over time
A Statement of Applicability is not a one-time document. As the organization grows or changes, so do its risks and requirements.
The SOA must be reviewed and updated regularly to reflect these shifts. New threats might require additional controls, while old risks may become irrelevant. Keeping the SOA current ensures that the information security management system remains effective and aligned with real-world needs.
This ongoing maintenance also demonstrates a commitment to continuous improvement, which is a core principle of most security standards.
Which elements are included in a Statement of Applicability?
A Statement of Applicability, often called an SOA, is a document that lists all the controls an organization has chosen to implement from a security standard like ISO 27001. It also explains why each control was selected or left out.
The SOA acts as a map, showing which security measures are in place and why. This makes it clear to anyone reviewing the document how the organization manages its information security risks.
List of applicable controls
One of the main elements in a Statement of Applicability is the list of controls that the organization has decided to include. These controls are usually taken from Annex A of ISO 27001, but they can also come from other sources if needed.
Each control is listed clearly, often with a reference number and a short description. This list is not just a copy-paste job. It is tailored to fit the specific needs and risks of the organization.
By doing this, the SOA shows exactly which security measures are being used to protect information. This helps both internal teams and external auditors understand the scope of the organization’s security efforts.
Justification for inclusion or exclusion
Another key part of the Statement of Applicability is the explanation for why each control was either included or excluded. For every control on the list, the SOA must state whether it is being applied or not.
If a control is included, the document explains the reason, such as a specific risk or a legal requirement. If a control is excluded, the SOA provides a justification for leaving it out.
This might be because the control is not relevant to the organization’s operations or because another measure already covers the risk. This level of detail ensures that decisions are transparent and based on real needs, not just guesswork.
Implementation status of controls
The Statement of Applicability also includes the current status of each control. This means stating whether a control is fully implemented, partially implemented, or not yet started.
This information is important because it shows how far along the organization is in its security journey. For example, some controls may be in progress due to technical challenges or resource limitations.
By documenting the implementation status, the SOA gives a realistic picture of the organization’s security posture at any given time. This helps management prioritize future actions and allocate resources where they are needed most.
Reference to supporting documentation
Finally, the SOA often points to other documents that provide more details about how each control is managed. These references might include policies, procedures, risk assessments, or audit reports.
By linking to these supporting documents, the Statement of Applicability becomes more than just a checklist. It turns into a living record that connects high-level decisions to day-to-day practices.
This makes it easier for anyone reviewing the SOA to dig deeper and verify that controls are not only chosen but also properly maintained and monitored over time.
English
Dutch