ISO 27001 Statement of Applicability (SoA):

What it is, what it must include, and audit expectations

This guide explains what the Statement of Applicability is, what it must include under ISO 27001:2022, common audit expectations, typical mistakes, and how auditors assess it during certification stages.

Key takeaways

  1. The SoA is mandatory under ISO 27001:2022 and explains which of the 93 controls you apply and why.

  2. A strong SoA clearly links risks, treatment decisions, and implemented controls - auditors check this at both stages.

  3. Poor justifications, outdated control counts, or weak risk alignment can delay certification.

What is a Statement of Applicability (SoA) in ISO 27001?

An ISO 27001 Statement of Applicability (SoA) is a mandatory document that explains which security controls your organisation has selected and why. It connects your risk assessment and risk treatment decisions to the controls listed in Annex A of the standard. 

In simple terms, it shows how you have addressed identified information security risks and which controls you have chosen to implement or exclude (and the justification for either). It is one of the first documents an auditor will review during a certification audit.

The current ISO 27001:2022 version reduced Annex A controls from 114 to 93, organised into four groups – organisational, people, physical, and technological – and your SoA must reflect this.

The SoA is required under ISO/IEC 27001:2022 Clause 6.1.3(d). It must clearly state whether each Annex A control is applicable, justify inclusion or exclusion, and confirm implementation status. 

Auditors use it to verify that your control selection is risk-based, logical, and defensible - not simply copied from a template.

Understanding ISO 27001

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It was developed by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), first published in 2005, updated in 2013 and most recently in 2022. It defines requirements for managing information security risks.

Why is the Statement of Applicability important?

The Statement of Applicability is a core document within your ISO 27001 certification. It explains which of the 93 Annex A controls you apply, which you exclude, and why. 

It shows how controls link to identified risks and management decisions, making your security approach clear, structured, and defensible.

Its importance runs through the entire certification lifecycle:

  • Certification requirement: It is a mandatory document for achieving ISO 27001 certification.

  • Risk management: It demonstrates how your selected controls address your specific risk profile.

  • Transparency: It provides internal and external stakeholders with a clear understanding of your security measures.

  • Recordkeeping: It acts as an ongoing reference document for surveillance and re-certification audits.

  • Audit stages: It is used in Stage 1 documentation review and in Stage 2 implementation verification to structure and guide the audit.

Audit focus: Auditors heavily scrutinise your SoA. They use the SoA as a roadmap in both Stage 1 and Stage 2 audits to verify that your controls and justifications align with your risk assessment.

The diagram below illustrates where the Statement of Applicability sits within the ISO 27001 process and why it acts as the bridge between risk assessment and audit verification.

Who needs a Statement of Applicability under ISO 27001?

Any organisation pursuing ISO 27001 certification must have a Statement of Applicability. It is not optional. The standard requires it as part of demonstrating a structured, risk-based approach to information security.

It applies to:

  • Any organisation seeking ISO 27001 certification.

  • Businesses with customer, regulatory, or contractual security requirements that require formal control justification.

This includes organisations such as:

  • SaaS and technology companies

  • Professional services firms

  • Financial services and fintech businesses

  • Healthcare and other data-driven organisations

Note: In the UK and the EU, regulatory frameworks such as the GDPR and contractual security clauses often make certain controls effectively unavoidable. Even where a control could technically be excluded under ISO 27001, legal or contractual obligations may require its implementation.

What should be included in a Statement of Applicability?

A strong ISO 27001:2022 Statement of Applicability should clearly document all 93 Annex A controls and explain your decisions in a structured, risk-based way. 

It must show the golden thread from risk identification to control implementation.

Your SoA should include:

  • A list of all 93 Annex A controls

  • Whether each control is applicable or not applicable

  • Clear justification (elaborated below) for both inclusion and exclusion

  • Explicit linkage to risk assessment and risk treatment decisions

  • Implementation status of each applicable control

  • Assigned control owner for accountability

  • References to supporting policies, procedures, or technical measures

  • A management approval statement and signature

Strong justifications should be clear, specific, and risk-based. They typically reference one of the following:

  • Risk treatment decisions arising from your risk assessment

  • Legal or regulatory obligations, such as GDPR

  • Contractual security requirements agreed with customers or partners

  • Business or operational needs, such as availability or service commitments

Simply marking a control as “applicable” or “not applicable” without explanation is not sufficient.

Your SoA should also include practical governance details, such as:

  • Management sign-off and approval date

  • Links to supporting policies or procedures

  • A clear explanation of how each control mitigates the identified risk

A well-structured SoA demonstrates completeness, defensible reasoning, and clear ownership - exactly what auditors expect to see during review.

Want a free Statement of Applicability template?

Statement of Applicability template

How to write your Statement of Applicability?

Writing your ISO 27001 Statement of Applicability is about clearly documenting how your organisation has selected controls based on risk. 

The process should be structured and aligned to ISO/IEC 27001:2022.

Here is a practical 6-step approach:

1. Understand ISO 27001 requirements and the purpose of the SoA

Review Clause 6.1.3(d)* and Annex A of ISO 27001:2022. 

The SoA exists to document which of the 93 controls you apply and why. It must reflect a risk-based approach, not a generic list of controls.

Related read - ISO 27001 certification requirements in the UK

*Understanding Clause 6.1.3 of ISO/IEC 27001:2022

Clause 6.1.3 of ISO/IEC 27001:2022 sits within the risk treatment section of the standard. It requires organisations to determine appropriate information security controls based on their risk assessment and compare them with Annex A to ensure nothing essential is missed.

Clause 6.1.3(d) specifically requires the creation of a Statement of Applicability. This document must identify which Annex A controls have been selected, justify any exclusions, and confirm their implementation status.

2. Conduct your risk assessment

Identify information security risks relevant to your organisation. Assess their likelihood and impact. Your control decisions must be driven by these findings.

3. Create your risk treatment plan

Decide how each identified risk will be treated - mitigate, transfer, avoid, or accept. Where mitigation is required, select appropriate Annex A controls.

4. Map Annex A controls to risks and treatment decisions

Annex A in ISO 27001:2022 groups 93 controls into 4 categories: organisational, people, physical, and technological. Review each control and determine whether it is applicable. 

Ensure selected controls clearly address identified risks.

5. Complete the SoA table with clear justifications

For each control, record:

  • Applicability (applicable / not applicable)

  • Justification for inclusion or exclusion

  • Link to risk treatment

  • Implementation status

  • Control owner

  • Reference to supporting policies

Justifications should be specific and defensible.

6. Review and maintain the SoA regularly

Your SoA should be approved by management, version-controlled, and updated when risks, systems, or regulations change. 

Auditors will review it at Stage 1 for completeness and at Stage 2 to verify implementation.

Is the Statement of Applicability mandatory for ISO 27001?

IYes, it is mandatory under ISO/IEC 27001:2022 Clause 6.1.3(d).

Without a Statement of Applicability (SoA), your ISMS is not compliant.

What happens if the SoA is missing?

In practice, this is identified during Stage 1 (documentation review).

  • A completely missing SoA represents a major gap.

  • You will not proceed to Stage 2 until it is in place.

  • It usually indicates wider weaknesses in ISMS preparation, not just a single missing document.

At Stage 1, auditors flag it as a critical issue that must be resolved before certification can continue - and it will most likely mean a delayed Stage 2.

Auditor expectation

  • The SoA must be complete and aligned with your risk assessment.

  • It must reflect the ISO 27001:2022 control structure (93 Annex A controls).

  • The version of the SoA must match the version of the standard referenced in the audit.

An incomplete or outdated SoA might delay certification.

Common mistakes to avoid when preparing your SoA

Even well-prepared organisations make avoidable errors in their Statement of Applicability. 

Common mistakes include:

  • Missing justifications: Every control - applicable or not applicable - must have a clear rationale as to its applicability.

  • Poor linkage to risk assessment: Controls must clearly connect to identified risks and treatment decisions. Weak or generic explanations are a common Stage 1 failure point.

  • Ignoring implementation status: Auditors expect honest, current reporting of whether controls are fully implemented.

  • Outdated control counts: Referencing 114 controls (from ISO 27001:2013) instead of the 93 controls in ISO 27001:2022 immediately signals a lack of alignment.

  • Treating it as “one and done”: The SoA should evolve as risks, systems, and regulations change.

Treating your SoA as static or not mapping every control to a risk justification invites nonconformities in audits.

It is also important not to confuse the SoA with the risk treatment plan. The risk treatment plan explains how risks will be addressed; on the other hand, the SoA documents which Annex A controls have been selected and justified as part of that decision.

How Tempo Audits reviews your Statement of Applicability

At Tempo Audits, the SoA is examined at both audit stages - but with a different focus.

Stage 1: Completeness and logic

We review whether your SoA is properly designed and ready to audit against. This includes:

  • All 93 Annex A controls listed

  • Clear applicability decisions and justifications

  • Logical alignment with your risk assessment and treatment plan

  • Defined control ownership and approval

  • No inappropriate exclusions

At this stage, we ask: Is your SoA well-thought-out and risk-based?

If it is incomplete or poorly aligned, you will not proceed to Stage 2.

Stage 2: Evidence and implementation

Here we verify that reality matches your SoA. We test whether applicable controls are implemented and operating effectively. On-site, we may request:

  • Access control logs

  • Backup evidence

  • Training records

  • Vulnerability scan results

  • Incident management records

A clear, traceable link from risk → control selection → implementation is critical. Without that traceability, nonconformities are likely.

Book your ISO 27001 audit with confidence!

Tempo Audits delivers UKAS-accredited ISO 27001 certification audits with a clear, structured, and practical approach. We focus on risk alignment, evidence-based verification, and realistic audit expectations.

Whether you are entering Stage 1, moving to Stage 2, or transitioning to ISO 27001:2022, our team will guide you through the certification process with clarity and professionalism.

Request a quote today and take the next step towards ISO 27001 certification with confidence.

FAQs

  • Your Statement of Applicability should be reviewed at least annually and whenever significant changes occur, such as new systems, risks, regulations, or organisational changes. It must remain aligned with your current risk assessment.

  • Yes. If your SoA is incomplete, poorly justified, misaligned with risks, or inconsistent with implementation, auditors will raise findings. Significant gaps can delay certification or prevent progression to Stage 2.

  • Clauses 4-10 set out the mandatory requirements for how your ISMS must be structured and managed.

    Annex A lists 93 security controls that you choose from based on your risks - and your Statement of Applicability explains those choices.