What is a Statement of Applicability, SOA? and, How useful is it?

🕑 4 minutes read

What is SoA, Statement of Applicability?

Statement of Applicability (SoA) of standard ISO 27001, of Information Security Management System (ISMS), is a document formed by the complete list of the assessable information security controls, which are indicated in Annex A of the standard.

In it the organization indicates if each one of them is applicable or not, detailing the reasons and their status of implementation.

Although Annex A is the reference for the implementation of information protection measures, organizations may add other controls and control objectives if they consider it necessary.


At which point in the process of implementing the Information Security Management System does SoA take place?

Once the risk analysis and evaluation have been carried out, organization must define the treatment options for the risks and apply the security measures to be taken to mitigate them. It is at this point that the SoA document is usually developed, where to register the security controls that are applicable


Example:If, from the risk assessment, the need to apply a control against malware is identified, a treatment plan will be defined consisting of the acquisition, configuration and installation of antivirus software, dates of implementation, allocation of resources, etc. Once implemented, the justification for its implementation and the necessary references to the implemented procedures or technical controls must be recorded in the Statement of Applicability.

SoA characteristics:

SoA document can be registered in the format that organization considers most convenient, what is really important is its content, which will generally include:

  • standard controls,
  • whether or not they apply and their justifications,
  • their implemetion status,
  • related documentation (procedures, evidence, etc.),
  • all those additional data that may be considered necessary to record.

Importance and advantages of SoA

  • SoA allows traceability between controls of the standard and what is really done in the organization, thus providing a broad vision of what organization is doing to protect its information, and contributing to identification, organization and recording of security measures in place.
  • It allows justifying the inclusion or exclusion of each control, aspects that are not included in the Risk Assessment report.
  • Organizations that develop and implement an Information Security Management System (ISMS), and who want to obtain certification for ISO 27001, must have SoA document.
  • By documenting each applicable control and indicating whether it has been implemented or not, it becomes the primary guidance for both internal and external auditors. In general, auditor will access the statement of Applicability, and based on it will carry out the audit and verify compliance with what is documented.

Review and update

  • SoA is a living document, which must be reviewed and approved by the highest Security authority of the organization, and updated when any of the following situations occur, which involves applying new security controls or reviewing those already in place:
    • • New information, generated internally, transferred by third parties (customers, suppliers, etc.) or related to regulatory or legislative compliance.
    • Acquisition or replacement of assets that contain or manage information (mobile devices, software, suppliers, new communication technologies, etc.), which can lead to the appearance of new threats and vulnerabilities.
    • Organizational or operational changes that involves a change in information management.
    • Changes in the context or needs or requirements of interested parties: requirement of contracts or confidentiality clauses, appearance of new laws or regulations, expansion to new markets, new cybersecurity threats, etc.

    It is necessary to keep a version control of the Declarations of Applicability that we are making, recording the changes made.

At GlobalSuite Solutions we offer the help and advice necessary for the implementation of your Information Security Management System (ISMS).

In addition, we have the GlobalSuite® software, fully developed by our team, allows the implementation, management and maintenance of all the requirements required by the ISO 27001 standard in all types of organizations and sectors.