ISO 27001 Statement of Applicability

  • Update: 07/04/2024

Creating a detailed example of a "Statement of Applicability" (SoA) requires understanding its purpose within the ISO/IEC 27001:2022 framework. The SoA is a critical document for any organization implementing an Information Security Management System (ISMS) as it demonstrates which of the standard's controls are applicable to the organization and how they are implemented or justified for non-implementation.

As I cannot directly create or share files, below is an outline of how an SoA might be structured in an Excel spreadsheet format, along with examples of content for each column. You can create an Excel file following these guidelines.

Excel Spreadsheet Structure for a Statement of Applicability
Column A: Control Number example: A.5.1.1
Column B: Control Title example: Information Security Policies
Column C: Control Category example: Organizational Controls
Column D: Applicability (Yes/No) example: Yes
Column E: Justification for Inclusion example: Essential for establishing the management framework for information security.
Column F: Implementation Status (Implemented/Partially Implemented/Not Implemented) example: Implemented
Column G: Justification for Exclusion (if applicable) example: Not Applicable
Column H: Remarks example: Reviewed & approved by ISMS Committee on [date].

Example Entries for an SoA Spreadsheet

Control Nuber

Control Title Control Category Applicability Justification for Inclusion Implementation Status Justification for Exclusion Remarks
A.5.1.1 Information Security Policies Organizational Controls Yes Essential for establishing the management framework for information security. Implemented Not Applicable Reviewed & approved on 2023-03-15
A.6.2.1  Mobile Device Policy  Organizational Controls  Yes  Critical for managing mobile access to internal networks.  Partially Implemented  Not Applicable  Pending full rollout of MDM solution
A.18.2.3  Technical Compliance Review  Compliance Controls  No  Not applicable due to the current organizational size and scope.  Not Implemented  Outside current scope  To be re-evaluated in 2024

Remember, the creation and maintenance of the SoA are dynamic processes. It should be reviewed and updated regularly to reflect the current status of your ISMS, especially after significant organizational changes, updates to ISO/IEC 27001, or in response to findings from internal or external audits.

Course Catalogue    Corporate Training    Course Calendar  Contact Us 
Limited Time Mega Sale! 25% OFF
Get Exam Premium Questions