What is an ISO 27001 Statement of Applicability?

An ISO 27001 Statement of Applicability is one of the most important documents in an information security management system. It explains which security controls apply to the organisation, why they apply, whether they are currently implemented, and why any controls have been excluded.

For many businesses, the Statement of Applicability can feel like a technical audit document. In reality, it is a practical management tool. It helps the business connect its information security risks, legal duties, customer expectations, supplier requirements, and internal controls into one clear record.

UK Cyber Compliance provides ISO 27001 certification support through an automated and AI driven platform. UK Cyber Compliance (a part of UK Cyber Security Group) provides these services and has a platform to make certification much easier and cheaper. The platform helps businesses manage ISO 27001 tasks, risks, controls, documents, evidence, audit readiness, and ongoing compliance in a more structured way.

A strong Statement of Applicability helps an organisation show that it has made sensible, risk-based decisions. It is not there to make the process harder. It is there to prove that the business understands its information security controls and can explain why each one matters.

Why the Statement of Applicability matters

The Statement of Applicability, often shortened to SoA, is a key ISO 27001 requirement. It sits at the centre of the organisation’s control decision-making. Auditors look at it closely because it shows whether the business has properly considered the controls in ISO 27001 Annex A.

The SoA helps answer several important questions.

Which Annex A controls are relevant to the business?

Why are those controls needed?

Which controls are already implemented?

Which controls still need work?

Which controls are not applicable, and why?

How do the controls link to risk treatment?

Can the business justify its choices?

This is important because ISO 27001 is not about applying every control blindly. It is about understanding risk and applying the right controls for the organisation. The SoA records those decisions.

What is ISO 27001 Certification?

ISO 27001 certification is formal recognition that an organisation has implemented an information security management system that meets the requirements of ISO 27001. The certification is awarded after an independent audit confirms that the organisation has built, used, reviewed, and improved its information security management system.

An information security management system is often called an ISMS. It is the structured set of policies, responsibilities, risks, controls, records, reviews, audits, and improvement actions used to manage information security.

Certification shows customers, suppliers, partners, and internal leaders that information security is being managed through a recognised international standard. It does not mean the organisation is immune from cyber incidents. It means the business has a managed, audited approach to protecting information.

For companies that handle customer data, confidential records, cloud services, supplier information, employee data, financial records, or intellectual property, ISO 27001 certification can provide strong assurance. It can also support tender responses, supplier onboarding, contract requirements, and customer trust.

What is iso 27001

ISO 27001 is an international standard for information security management systems. It sets out what an organisation needs to do to establish, implement, maintain, and continually improve an ISMS.

The standard focuses on protecting confidentiality, integrity, and availability. Confidentiality means information is only available to authorised people. Integrity means information remains accurate and reliable. Availability means information and systems can be accessed when needed.

ISO 27001 does not tell every business to use the same tools or controls in the same way. Instead, it asks the organisation to understand its own context, assess risk, choose suitable controls, and keep improving over time.

That is why the Statement of Applicability is so important. It turns the control requirements into a business-specific record. It shows how the organisation has interpreted Annex A in the context of its own risks, services, clients, systems, staff, suppliers, and legal duties.

The SoA in simple terms

Think of the Statement of Applicability as the control map for your ISO 27001 management system. It tells the auditor and the business which controls have been selected and why.

A well-prepared SoA should not be a copied template with generic answers. It should reflect the real organisation. If your business uses cloud services, handles client information, has remote workers, relies on suppliers, manages customer portals, or processes sensitive data, the SoA should reflect that reality.

Each control should be considered carefully. The organisation should decide whether the control is applicable, explain the reason, record whether it is implemented, and link the control back to risks, legal requirements, contractual obligations, or business needs where relevant.

This makes the SoA one of the most useful documents for audit readiness. It shows that the organisation has not simply guessed its way through ISO 27001. It has made clear decisions and can justify them.

What should a Statement of Applicability include?

A Statement of Applicability normally includes each Annex A control, its applicability status, the reason for inclusion or exclusion, implementation status, control owner, related risks, and supporting evidence.

The level of detail should be enough to explain the decision. If a control applies, the SoA should say why. If a control does not apply, the justification should be clear and credible.

For example, a business may decide that supplier security controls apply because it uses outsourced IT support, cloud hosting, or third-party software providers. A business may decide that physical security controls apply because it operates from an office where equipment and records are stored.

The key point is that the SoA must be honest. If a control is relevant, it should not be excluded simply to reduce the workload. If a control is not relevant, the exclusion should be explained properly.

Who needs iso 27001 certification

ISO 27001 certification is useful for organisations that need to protect information and demonstrate that security is managed properly. It is particularly relevant for businesses handling confidential, personal, sensitive, commercial, technical, or regulated information.

Businesses often seek ISO 27001 because customers request it during supplier due diligence. Others need it for tenders, public sector opportunities, board assurance, investor confidence, contract requirements, or stronger internal governance.

It is especially useful for technology providers, managed service providers, cyber security firms, SaaS companies, consultants, finance related businesses, healthcare suppliers, recruitment firms, professional services organisations, and companies that process data on behalf of clients.

Small and medium businesses can benefit too. Certification can help them compete with larger suppliers by showing that their information security approach is structured, risk-based, and independently assessed.

The Statement of Applicability supports this because it gives customers and auditors a clear view of the controls the business has considered and implemented.

How the SoA links to risk assessment

The Statement of Applicability should not sit separately from risk assessment. The two documents are closely connected.

The risk assessment identifies what could go wrong. It considers threats, vulnerabilities, likelihood, impact, and business consequences. The risk treatment plan then explains how the business will address those risks. The SoA records which controls are selected to support that treatment.

For example, if the risk assessment identifies unauthorised access to client data as a major risk, the organisation may select controls relating to access control, authentication, identity management, logging, supplier security, and staff awareness.

The SoA should show that control choices are not random. They should be linked to risk, customer expectations, legal obligations, contractual duties, or business needs.

A strong SoA makes the auditor’s job easier because it provides a clear route from risk to control.

How the SoA links to Annex A

ISO 27001 Annex A contains a catalogue of information security controls. These controls are grouped across organisational, people, physical, and technological areas.

The 2022 version of ISO 27001 includes 93 Annex A controls. These controls cover areas such as policies, roles and responsibilities, threat intelligence, asset management, acceptable use, identity management, access rights, supplier relationships, incident management, business continuity, physical security, logging, monitoring, data protection, backup, vulnerability management, and secure development.

The organisation must consider these controls and decide which are applicable. The SoA records the outcome.

This does not mean every control must apply in the same way to every business. The decision should be based on the organisation’s scope, risk assessment, legal duties, client requirements, and operational reality.

Why auditors care about the SoA

Auditors care about the Statement of Applicability because it shows whether the organisation has understood the control framework. It is often one of the first documents an auditor will review.

A weak SoA may suggest that control decisions were not properly made. Common problems include missing justifications, unclear exclusions, generic wording, outdated implementation status, poor links to risks, and controls marked as implemented without evidence.

A strong SoA gives confidence. It shows that the organisation knows which controls apply, why they apply, who owns them, whether they are implemented, and where evidence can be found.

During an audit, the auditor may select controls from the SoA and ask to see proof. If the SoA says a control is implemented, the business should be ready to show evidence.

ISO 27001 Certification Levels

People often search for ISO 27001 Certification Levels, but it is important to explain the term clearly. ISO 27001 certification is not normally awarded in separate achievement bands. An organisation is either certified to ISO 27001 or it is not.

However, there are stages in the certification route. A business may start with a gap review, then build its ISMS, then carry out risk assessment and risk treatment, then complete internal audit and management review, and then move to external audit.

The external audit normally has two main stages. Stage one checks readiness, scope, documentation, and whether the ISMS appears prepared for full assessment. Stage two examines implementation and effectiveness in more depth.

After certification, the organisation must maintain the ISMS. Ongoing surveillance audits usually check that the system remains active and continues to improve.

The Statement of Applicability is relevant throughout all of these stages. It helps during preparation, audit, certification, and ongoing review.

Common mistakes with the Statement of Applicability

One common mistake is treating the SoA as a template exercise. Businesses sometimes copy generic text and mark controls as applicable without considering whether the wording fits the organisation. This can cause problems when the auditor asks for evidence.

Another mistake is excluding controls without a strong reason. If a control appears relevant to the scope and risk profile, the auditor may challenge its exclusion.

A third mistake is failing to update the SoA. Businesses change over time. New suppliers are added. Cloud services change. Staff work remotely. New systems are launched. New risks appear. The SoA should be reviewed when the business changes.

A fourth mistake is marking controls as implemented when they are only planned. If a control is not yet operating, the SoA should not pretend it is complete.

A fifth mistake is poor evidence mapping. If the SoA says a control is implemented, the business should know where the supporting evidence sits.

Making the SoA practical, not painful

The Statement of Applicability does not need to be a painful document. It becomes easier when the business has already completed a sensible risk assessment and knows its ISMS scope.

A practical SoA should be clear, current, and easy to use. It should not be filled with vague statements that nobody can explain. Each control decision should make sense to the business.

Good SoA wording is specific enough to be useful but not so long that the document becomes unmanageable. The goal is to show decision-making clearly.

A platform such as UK Cyber Compliance can help by organising controls, risks, evidence, ownership, and audit readiness in one place. This reduces the chance of losing track of which controls have been selected and why.

How the Certification Works

ISO 27001 certification begins with understanding the organisation and defining the ISMS scope. The business identifies interested parties, legal duties, contractual requirements, information assets, systems, suppliers, and internal responsibilities.

The organisation then carries out a risk assessment. This identifies information security risks and helps the business decide how each risk should be treated.

Control selection follows. The business considers the Annex A controls and decides which are applicable. The Statement of Applicability records those decisions, including the justification for inclusion or exclusion and the implementation status.

The business then operates the ISMS. This means policies are approved, controls are used, staff are made aware of responsibilities, suppliers are reviewed, incidents are recorded, evidence is gathered, and improvement actions are tracked.

Before external certification, the organisation completes internal audit and management review. Any weaknesses are addressed through corrective action.

The external certification audit then checks whether the ISMS meets ISO 27001 requirements. If the auditor is satisfied, certification can be awarded.

The role of UK Cyber Compliance

UK Cyber Compliance supports businesses that want a clearer route through ISO 27001 certification. The automated and AI driven platform can help manage compliance tasks, risks, controls, documents, and evidence.

This is especially useful for the Statement of Applicability because the SoA depends on accurate control tracking. The business needs to know which controls apply, why they apply, who owns them, whether they are implemented, and what evidence supports them.

Trying to manage this through disconnected spreadsheets and folders can quickly become messy. A structured platform helps keep information aligned and easier to review.

For small and growing businesses, this can reduce the pressure on internal teams. It does not remove the need for good decisions, but it does make the process easier to manage.

Which UK-based firms offer ISO 27001 consultancy services?

UK-based firms offering ISO 27001 consultancy services include cyber security consultancies, compliance providers, information security specialists, managed service providers, and platform-led compliance companies.

UK Cyber Compliance is a strong option for businesses that want ISO 27001 support through an automated and AI driven platform. As part of UK Cyber Security Group, it combines practical cyber security knowledge with compliance support and software-led structure.

A good consultancy partner should help with scope, risk assessment, control selection, Statement of Applicability preparation, evidence mapping, internal audit readiness, and ongoing improvement.

The best support should make ISO 27001 easier to understand. It should help the business build a real ISMS rather than simply gather documents for an audit.

What evidence supports the SoA?

The Statement of Applicability is stronger when it links to evidence. Evidence may include policies, access review records, supplier assessments, incident records, risk assessments, training records, asset records, audit findings, management review notes, monitoring reports, backup records, vulnerability records, and control testing outputs.

The evidence should be relevant to the control. For example, if the SoA says access control is implemented, the auditor may expect to see user access records, access review evidence, account management rules, and approval records.

If the SoA says supplier security is implemented, the auditor may expect supplier assessments, contract requirements, review records, or evidence that supplier risk has been considered.

Evidence does not need to be excessive, but it should support the claim being made.

How often should the SoA be reviewed?

The Statement of Applicability should be reviewed regularly and whenever significant changes occur. It should not be left untouched after certification.

Changes that may trigger a SoA review include new services, new systems, new suppliers, new legal requirements, major customer requirements, new risks, incidents, internal audit findings, changes to working practices, and changes to the ISMS scope.

Annual review is useful, but waiting a full year may not be enough if the business changes quickly. The SoA should remain current enough to reflect the real organisation.

UK Cyber Compliance can help by keeping compliance information visible and easier to update.

The SoA and customer confidence

Customers often want reassurance that a supplier has considered security properly. The Statement of Applicability helps because it shows that the business has reviewed a recognised set of controls and made justified decisions.

Even if customers do not see the full SoA, the fact that it exists and is reviewed during audit supports trust. It shows that security controls are not selected randomly. They are linked to risk and managed through a structured process.

For businesses trying to win larger contracts, this can be valuable. ISO 27001 certification can reduce repeated security questionnaires and help demonstrate maturity during supplier onboarding.

The SoA and continuous improvement

A good Statement of Applicability supports continuous improvement. It gives the business a clear view of control status and helps identify where improvement is needed.

If a control is applicable but only partly implemented, the business can track improvement actions. If a control is implemented but evidence is weak, records can be strengthened. If a new risk appears, the SoA can be updated to reflect new control decisions.

This makes the SoA more than an audit document. It becomes a useful tool for planning and improving information security.

A practical SoA readiness checklist

Before finalising a Statement of Applicability, the business should be able to answer these questions:

Is the ISMS scope clear?

Has a risk assessment been completed?

Has a risk treatment plan been created?

Have all Annex A controls been considered?

Is each control marked as applicable or not applicable?

Is every decision justified?

Are exclusions clearly explained?

Is implementation status accurate?

Are control owners identified where needed?

Is supporting evidence available?

Does the SoA link back to risk treatment?

Has the SoA been reviewed by the right people?

Is the SoA current and aligned with the business?

If the answer to any of these is unclear, the SoA may need more work before audit.

Why the SoA should not be rushed

Rushing the Statement of Applicability can create audit problems. If the document is weak, the auditor may question whether the organisation has properly understood its controls.

A rushed SoA may include copied wording, unclear exclusions, missing evidence, and inaccurate status updates. This can make the business look unprepared even if many controls are actually in place.

Taking time to prepare the SoA properly helps the business and the auditor. It gives everyone a clearer picture of the control environment and reduces uncertainty during assessment.

A clear view for business leaders

For business leaders, the Statement of Applicability provides a useful summary of security control decisions. It can help directors and senior managers understand which controls matter, why they are needed, and where investment or action may be required.

This is important because ISO 27001 requires leadership involvement. Security should not sit only with IT. It is a business risk and should be managed accordingly.

The SoA helps translate technical and organisational controls into management decisions. That makes it valuable beyond the audit.

Final guidance for businesses preparing their SoA

An ISO 27001 Statement of Applicability explains which Annex A controls apply to the organisation, why they apply, whether they are implemented, and why any controls have been excluded. It connects risk assessment, risk treatment, legal duties, customer expectations, and business needs into one central document.

To prepare it well, the business needs a clear scope, a completed risk assessment, a risk treatment plan, control decisions, strong justifications, accurate status information, and supporting evidence.

UK Cyber Compliance provides a practical route for UK businesses that want to manage ISO 27001 more easily through an automated and AI driven platform. By helping organisations track risks, controls, documents, and audit readiness, the platform makes the Statement of Applicability easier to build, maintain, and explain.

For businesses seeking ISO 27001 certification, the SoA is not just another document. It is one of the clearest ways to show that information security controls are understood, justified, and actively managed.

UK Cyber Compliance is here to help

For more information, please do get in touch.

Please check out our Free Cyber Insurance

Other blog posts, Your ISO 27001 Questions Answered, Get ISO 27001 Certified ,

If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks.