The Essential Guide to Statement of Applicability (SoA) for ISO 27001 Certification

Antonia Pervanidis

13 December 2023

The Essential Guide to Statement of Applicability (SoA) for ISO 27001 Certification

A Statement of Applicability (SoA), a crucial document in achieving ISO 27001 certification for an Information Security Management System (ISMS), is the focus of this comprehensive guide. The SoA plays a vital role in the systematic evaluation of an organization's security risks, showcasing the strategic measures and control objectives implemented. It acts as an indispensable roadmap, illustrating how an organization meets and maintains information security standards, thereby ensuring the confidentiality, integrity, and availability of sensitive information.

In This Guide, You'll Discover:

  1. What is a Statement of Applicability (SoA)?
  2. Key Measures to Implement in Your Business
  3. Why SoA is Crucial for ISO 27001 Certification
  4. What Information Does the SoA Contain?
  5. The Benefits of a SoA
  6. How to Create a SoA

ISO 27001 certification, pivotal for all data-handling companies, enhances customer trust and strengthens corporate values. Even if not mandatory, it provides a robust legal framework. The SoA is one of the vital documents required in the ISO 27001 certification process. This article provides detailed insights into the SoA, explaining its importance and the steps for its creation.

What is the SoA? The SoA is a central component of a company's ISMS. It outlines the control objectives and controls established by the organization. Regular contents of the SoA include:

  • Necessary actions, especially those from Annex A of ISO 27001
  • Reasons for including or excluding certain measures
  • Implementation status

The SoA is a key document for companies seeking ISO certification and is typically one of the first items an external auditor examines. It aligns with clause 6.1.3 of the primary ISO norms for ISO 27001, focusing on activities related to risks and opportunities.

Using the SoA, a company can determine how current ISO 27001 requirements and guidelines are being met and compare them with the measures in Annex A, which comprises 114 information security controls in 14 categories.

ISO 27001 Documentation Checklist Including SoA This checklist offers an overview of the essential documentation for ISO 27001 certification and includes tips for creation.

Creating Your SoA: A Step-by-Step Guide Whether it's your first time creating a SoA or you're aiming to improve your strategy and results, these six steps will guide you in crafting a successful SoA in line with ISO 27001 standards:

  1. Understanding What Measures to Include
    • Determine which of the 93 measures you wish to include in your document, along with references to the relevant implementation resources.
  2. Identifying and Analyzing Risks
    • Collaborate with your team to identify and analyze hidden risks that could compromise the confidentiality, integrity, and availability of your ISMS resources.
  3. Selecting Measures for Risk Treatment
    • Implement measures to minimize risks to a manageable extent, following ISO 27001's four suggested risk mitigation strategies: retain/tolerate, avoid/terminate, share/transfer, or modify/treat.
  4. Developing a Risk Treatment Plan
    • Create a Risk Treatment Plan (RTP) as part of your ISO 27001-certified ISMS, summarizing all identified risks, chosen solutions, the owner of each risk, and the expected date for implementing the RTP.
  5. Listing Recommended Measures
    • Include every measure suggested in Annex A, indicating whether they have been implemented, and provide reasons for their inclusion or exclusion.
  6. Maintaining Your SoA
    • Regularly update your SoA to align with the latest ISO standards and changes in your company or ISMS scope.