The Statement of Applicability in ISO 27001:2013


The Statement of Applicability (SoA) is one of the key documents in an ISO 27001 information security management system (ISMS).

It identifies the controls you have selected to address the risks that were identified in the risk assessment process, explains why those controls have been selected, states whether or not they have been implemented, and explains why any Annex A controls have been omitted.

As such, it provides an effective outline of the entire ISMS.

What does ISO 27001:2013 require?

The original version of ISO 27001:2013 was deemed unclear, so ISO/IEC issued a technical corrigendum in 2015 (ISO 27001 Technical Corrigendum 2: ISO/IEC 27001:2013/Cor.2:2015) to amend subclause 6.1.3, which sets out the requirements of an SoA.

This clarifies that, as part of the risk treatment process, organisations must produce an SoA that contains:

  • the necessary controls;
  • justification for their inclusion;
  • whether the necessary controls are implemented or not; and
  • the justification for excluding any of the Annex A controls.

Technical Corrigendum 2 can be downloaded free of charge direct from the ISO website, as can Technical Corrigendum 1, which replaces subclause A.8.1.1.

We suggest that you download both corrigenda when you buy your copy of ISO 27001. When you purchase the Standard from IT Governance, you’ll automatically receive a copy of both.

Legal, contractual and regulatory requirements

ISO 27001 requires an ISMS to take account of – and to document – the organisation’s legal, statutory, regulatory or contractual requirements, and its approach to meeting them. The SoA will record information about controls that relate to these requirements, and indicate whether they were implemented for reasons other than the risk assessment.

Benefits of the SoA

A risk assessment report can be quite lengthy – indeed, some organisations might identify thousands of risks – and is therefore not particularly useful for everyday operational use. The SoA, however, is relatively concise and can be used as an overview of the entire ISMS.

The SoA is also useful as a simple way of identifying the policies, procedures and other documentation or systems that have been applied in order to treat the identified risks.

The SoA must be updated regularly in line with the continual improvement philosophy of ISO 27001:2013, and as evidence of improvements to controls or compliance requirements.

Producing an SoA with vsRisk

vsRisk produces an SoA as you conduct your risk assessment, providing all the information you require, in an audit-ready format. You can export the report into XLS, PDF or CSV where you can customise it as you like.

An example of an SoA, which has been drawn from a sample risk assessment produced with vsRisk, can be seen below. vsRisk is packed with powerful features, giving you control over your assessments.

Learn more about vsRisk with a personal, one-to-one demo now.

Screenshot of an SoA produced by vsRisk

Screenshot of an SoA produced by vsRisk


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.