Statement of Applicability
Definition
A Statement of Applicability (SoA) is a core document in information security and governance, risk, and compliance (GRC) that identifies and outlines the controls implemented to address specific risks. It is a key requirement in ISO 27001, detailing which security controls are applicable, how they are implemented, and their status. The SoA is often used during audits to demonstrate the organization's compliance with information security management system (ISMS) requirements and to justify any exclusions or deviations from control requirements.
Real-World Examples
Small Business GRC Implementation
A small organization creates a Statement of Applicability to demonstrate their security controls, ensuring that they meet regulatory compliance and protect customer data.
Enterprise Audit Preparation
A large organization updates their SoA regularly as part of their ISO 27001 audit process, reviewing the control environment and security measures implemented across global operations.
A Statement of Applicability (SoA) outlines the specific information security controls an organization has implemented to address risks and meet compliance requirements, such as those in ISO 27001.
To write a SoA, identify applicable controls based on your risk assessment, document their implementation status, and justify any exclusions or deviations from standard requirements.
A SoA is crucial for demonstrating compliance with frameworks like ISO 27001, showing auditors which controls are in place and how they align with organizational risk management practices.
A SoA should include a list of applicable controls, their implementation status, and any exclusions or modifications, along with a justification for each decision.
A SoA should be reviewed and updated regularly, especially during audits, when there are changes in the risk environment, or after implementing new controls or systems.
A risk assessment identifies and analyzes risks, while a Statement of Applicability documents the specific controls implemented to address those risks and meet compliance requirements.
Yes, many GRC frameworks, including ISO 27001, require a Statement of Applicability to demonstrate that appropriate controls are in place to mitigate identified risks.
Yes, a Statement of Applicability is a key document during audits, providing evidence of compliance with security controls and showing how risks have been mitigated.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-26 | WatchDog Security GRC Wiki Team | Initial publication |
