ISO 27001: How to Write a Statement of Applicability

ISO 27001 How to Write a Statement of Applicability

What's Inside

You need a Statement of Applicability for an ISO 27001 certification. Here's a quick guide to make the process as stress-free as possible.

Cyber incidents are the leading risk to businesses globally for 2022, according to a recent survey among risk management experts. This includes things such as cybercrime, IT failure or outages, data breaches, and fines and penalties. 

All of this isn’t great news for your data or for your business.

For these and many reasons, companies are choosing to pursue ISO 27001 certification. ISO 27001 can help you mitigate risks and build trust with customers who have growing concerns about their information.

A major component in pursuing ISO 27001 certification is your Statement of Applicability (SoA). If you’re not sure where to begin, consider this post your quick start guide to make the process as stress-free as possible.

Automate ISO 27001 Compliance With Drata

Meeting compliance requirements can be an arduous and manual effort. Let us take you from security novice to continuous monitoring in a few hours.

Learn More

What’s an ISO 27001 Statement of Applicability?

A Statement of Applicability is a document required for ISO 27001 certification. It’s a document  that states the Annex A controls that your organization determined to be necessary for mitigating information security risk and the Annex A controls that were excluded.

This is an internal document that you typically only share with your organization and your certification body. That said, it’s essential to get it right—failing to do so could slow down the process of certification.

How to Create Your Statement of Applicability

Here’s a breakdown of the steps you’ll need to take to put together an SoA for your organization.

Understand the Requirements

The first step to writing an ISO 27001 Statement of Applicability is understanding the requirements which can be overwhelming if you’re new to information security or ISO 27001. 

Nevertheless, understanding these requirements will help ensure that your SoA is accurate and complete. For a high-level breakdown of ISO 27001 requirements, check out this guide

Conduct a Risk Assessment

To begin the process of writing an ISO 27001 Statement of Applicability, you will need to conduct a risk assessment. The purpose of this step is to evaluate the information security risks that could pose harm or loss to your organization.

“Using Drata easily saved us an excess of $100K a year by not having to bring on additional resources to manage the ISO 27001 journey. Having onboarding features integrated into the platform also shaved weeks off the process and expedited the time for our audit.” —Mike Schuman, Immediation

Read the Story

If you have already completed a risk assessment, use that information as a starting point. 

If not, start by:

Determining the Appropriate Methodology 

Your risk assessment should be tailored to your organization’s environment and circumstances. In other words, you should choose a risk assessment methodology that gathers the information you need about the particular risks affecting your company.  

Most risk assessments can follow a qualitative approach which uses judgment to categorize risks on a low to high scale of probability, or quantitative, which uses mathematical formulas to calculate expected monetary losses of certain risks. These methodologies can also be combined with other methods like asset-based or threat-based. 

Both ISO 27005 and NIST SP 800-30 standards can provide guidance for determining the most appropriate risk methodology.

Looking for Guidance

If you don’t have a cybersecurity expert on your team, you could hire a consultant to help identify threats that could affect your organization’s ability or success in achieving its goals. They may suggest strategies or tools they’ve used when working with companies in your industry which can help form your own plan.

Again, this can be particularly useful if you’re a new organization or don’t have much experience with risk assessments. Getting input from others can help create a more complete risk profile.

Do You Know if You’re Audit-Ready?

Download our eight-step checklist to help you prepare for your upcoming ISO 27001 audit.

Download Now

Determine Your Risk Management Strategy

This is the point where you define your risk management strategy, identify security risks, and what you need to implement to manage those risks effectively. For example, an organization may decide to implement an encryption solution for securing sensitive data. 

Once you define all parts of your risk management strategy, you will have a clearer picture of what type(s) of controls will be best suited for addressing each component within your organization’s IT system.

Select the Security Controls Most Relevant to Your Organization

Every company is different, and that means the controls you implement may be unique to your organization or industry.

If you run a large manufacturing business with multiple warehouses where inventory is always being shipped out or returned to storage, then physical access control could be part of your ISO 27001 certification process.

However, other companies may find that they don’t face many physical security risks and that another set of controls are at the top of their priority list. 

Complete the SoA 

At this point, you have everything you need to put your Statement of Applicability together. 

If you have chosen to exclude an Annex A control, it’s important to provide justification for this decision. You should include the risks that were considered and determined not to be a high priority. If possible, explain why a particular risk was deemed unfit for inclusion. 

You will also need to document the reason for including Annex A controls. Typically, the reason for including Annex A controls is because the control was determined to be necessary for mitigating a specific information security risk.

Plan Annual Updates

Once you’ve completed your Statement of Applicability and risk assessment, you’ll need to keep a close eye on it. You should regularly review the document to ensure that you’re still meeting the requirements described in the standard.

Additionally, be sure to stay up to date with any technology changes that may impact your program and risk treatment plan.

Want to put ISO 27001 on autopilot?

Drata streamlines the ISO 27001 certification process so you can focus on growing your business securely. 

Get Audit-Ready Faster With Drata's ISO 27001 Compliance Solution

Book a demo of Drata’s ISO 27001 compliance solution to learn how to get audit-ready faster.

Schedule a Demo

Keep Reading

ISO 27001 Risk Assessment 10 Step Guide to an Effective Assessment


ISO 27001 Risk Assessment: 10 Step Guide to an Effective Assessment

ISO 27001 How to Write a Statement of Applicability


ISO 27001: How to Write a Statement of Applicability

Understanding ISO 27001 Controls A Guide to Annex A


Understanding ISO 27001 Controls: A Guide to Annex A

Our Path to ISO 27001


5 Key Learnings From Our Path to ISO 27001

Take Your Learning Further

Discover research, playbooks, checklists, and other resources on ISO 27001 compliance.

Explore ISO 27001 Hub