ISO 27001 Statement of ApplicabilityThe ISO 27001 Statement of Applicability (known as the SoA) is a core and required document in your ISO 27001 Information Security Management System (ISMS).  This document is required to be developed as part of Clause 6.1.3d. The SoA is essentially the document that sits in between the Risk Assessment and Risk Treatment Plan and you can read more about the Risk Treatment Plan here:

Once developed, the SoA should define which of the 114 Annex A controls you will apply and the justification as to why others were not implemented. Good practice is also to describe how each applicable control is implemented by referencing a policy, describing the procedure in use, or equipment/technology in place.

If you choose to go for the ISO 27001 Certification the auditor will/should do a line by line inspection of your SoA and validate that all the implemented controls are in fact implemented.

Pin It on Pinterest

Share This