Statement of Applicability (SoA)

A Statement of Applicability is a foundational document within a management system that explicitly lists all the security controls from the standard framework. It identifies which of those controls the organization has chosen to implement to mitigate identified risks, and which controls have been excluded, providing clear justifications for both inclusion and exclusion.

Yes, the creation and maintenance of this document is a strictly mandatory requirement for achieving certification against most major security management frameworks. It acts as the definitive roadmap of the organization's security posture and is one of the primary artifacts auditors use to guide their assessment of the implemented controls.

A comprehensive statement should include a complete list of all controls provided by the applicable framework, a clear indication of whether each control is applicable or not, a detailed justification for why a control was included or excluded, and a reference to the specific policies, procedures, or technical mechanisms used to implement the applicable controls.

Applicability is determined directly by the outcomes of the organization's comprehensive risk assessment and risk treatment processes, as well as any legal, regulatory, or contractual obligations. If a control mitigates an identified risk or fulfills a compliance requirement, it must be marked as applicable and subsequently implemented. Many teams track these decisions in a GRC platform; for example, WatchDog Security's Risk Register can link risks to treatment decisions, while WatchDog Security's Compliance Center can map applicable controls across multiple frameworks to keep the SoA aligned as scope changes.

Exclusions are justified by demonstrating that the specific risk the control addresses does not exist within the organization's environment, or that the relevant technology or process is simply not used. For instance, if an organization has no physical offices and operates entirely remotely in the cloud, physical entry controls would be legitimately excluded with that justification.

The risk treatment plan details the specific actions, timelines, and responsibilities for mitigating identified risks, essentially serving as a project plan for security improvements. In contrast, the Statement of Applicability is a static declaration of the organization's current control posture, mapping the selected risk treatments directly to the standard's comprehensive list of recognized security controls. Organizations often manage the treatment plan in WatchDog Security's Risk Register, then reference those treatments back to the applicable controls listed in the SoA.

The document must be reviewed and updated at planned intervals, typically annually, or whenever significant changes occur within the business environment, infrastructure, or the management system itself. Continuous maintenance ensures that the declared security controls accurately reflect the organization's evolving operational and risk landscape. To reduce drift, many teams use version control and approvals for SoA updates; WatchDog Security's Policy Management supports approval workflows and acceptance tracking for related policies that the SoA references. WatchDog Security's Compliance Center can also help teams keep evidence and control mappings current across multiple frameworks.

Yes, during a formal certification audit, assessors will select a sample of the controls marked as applicable in the document and require concrete evidence, such as system configurations, logs, or policy acknowledgments, to verify that the control is not only documented but also effectively implemented and operating as intended. To streamline audit readiness, organizations can attach evidence links to each applicable control and export an evidence package from WatchDog Security's Compliance Center. When sharing artifacts externally, WatchDog Security's Secure File Sharing can add encrypted delivery, TOTP verification, and access logs.

Yes, an organization can successfully achieve certification even if numerous controls are marked as not applicable, provided that those exclusions are logically sound and rigorously justified. The framework allows for flexibility, ensuring that organizations only implement controls that are genuinely relevant to their specific size, scope, and operational model.

A good template is typically structured as a comprehensive spreadsheet or database that lists the control identifier, the control description, a binary applicability flag, the detailed justification for inclusion or exclusion, the current implementation status, and hyperlinks to the internal evidence or policies that demonstrate compliance with that specific control.

A GRC platform can centralize control decisions, justifications, and evidence links so the SoA stays current as risks and scope change. WatchDog Security's Compliance Center helps map controls across 20+ frameworks and maintain a single source of truth for applicability. WatchDog Security's Risk Register can tie each applicable control to the underlying risk and treatment plan, and WatchDog Security's Policy Management can keep referenced policies versioned and approved.

Organizations can reduce audit friction by attaching evidence artifacts to each applicable control and generating a consistent export for assessors. WatchDog Security's Compliance Center supports exportable evidence packages, and WatchDog Security's Secure File Sharing can share sensitive files with encryption, TOTP verification, and audit logs. For recurring customer requests, WatchDog Security's Trust Center can publish approved evidence to a controlled, customer-facing portal.

A GRC platform can centralize control decisions, justifications, and evidence links so the SoA stays current as risks and scope change. WatchDog Security's Compliance Center helps map controls across 20+ frameworks and maintain a single source of truth for applicability. WatchDog Security's Risk Register can tie each applicable control to the underlying risk and treatment plan, and WatchDog Security's Policy Management can keep referenced policies versioned and approved.

Organizations can reduce audit friction by attaching evidence artifacts to each applicable control and generating a consistent export for assessors. WatchDog Security's Compliance Center supports exportable evidence packages, and WatchDog Security's Secure File Sharing can share sensitive files with encryption, TOTP verification, and audit logs. For recurring customer requests, WatchDog Security's Trust Center can publish approved evidence to a controlled, customer-facing portal.