Mastering the ISO 27001 Statement of Applicability (SoA) with Fides Rating: A Practical Guide

gilles chevillon

2 min read

The Statement of Applicability (SoA) is one of the most critical documents in an Information Security Management System (ISMS) based on the ISO/IEC 27001 standard. Far more than a simple requirement, the SoA serves as a strategic map that outlines how an organization selects, implements, and maintains its security controls.

What is the Statement of Applicability (SoA)?

The SoA is an official document that acts as a comprehensive checklist for an organization's information security posture. It identifies which security controls from Annex A of the ISO 27001 standard are relevant to the organization and explains how they are applied. Essentially, it is a declaration of what a company does to stay secure and why.

The Role and Importance of the SoA

The SoA plays a central role in both the internal management and external certification of an ISMS:

Mandatory Certification Requirement: An organization cannot achieve ISO 27001 certification without a completed SoA.

Bridge Between Risk and Treatment: It serves as the vital link between the results of a risk assessment and the specific security measures chosen to address those risks.

Auditor’s Roadmap: During an audit, the SoA is typically the first document requested, as it tells the auditor exactly which controls to verify.

Stakeholder Transparency: It provides visibility to management, board members, and external partners (such as customers or investors) regarding the organization’s approach to managing information security.

Core Objectives of the SoA

The primary objectives of the SoA are to:

1. Document Decisions: Record why specific security measures were chosen and others were left out.

2. Show Compliance: Provide tangible proof that the organization meets the standard's requirements.

3. Encourage Accountability: Clearly identify the reasons for each control—whether based on legal, risk, business, or contractual requirements.

4. Support Continuous Improvement: Act as a living document to monitor the effectiveness of the ISMS over time.

What is the Content of an SoA?

While the exact content can vary, a robust SoA must include:

A List of All Annex A Controls: For the ISO 27001:2022 version, this involves 93 controls organized into four categories.

Applicability Status: A clear indication of whether each control is "applicable" or "not applicable" to the organization.

Justification: A detailed explanation for why a control was included or excluded. For example, if an organization does not develop its own software, it would justify excluding secure development controls.

Implementation Status: Information on whether the applicable controls have been fully implemented.

Control Details: Many organizations also include the control owner, the date of the last assessment, and descriptions of how the control functions in practice.

Format and Structure

There is no single mandatory layout, but the most common and effective format is an Excel spreadsheet. A spreadsheet allows for easy tracking of numerous data points, such as version control, implementation dates, and justification text. It should be organized into sections or columns that allow for clear navigation by both internal teams and external auditors.

Managing and Sharing the SoA

The SoA is intended to be an internal management document. While some consider it highly confidential and only share it with auditors, other sources suggest it may be shared with clients or partners upon request to provide assurance of the organization’s security posture.

Because information security is dynamic, the SoA must be a living document. It should be reviewed at least once a year or whenever significant changes occur in the organization's business model, technology stack, or threat landscape. Regularly updating the SoA ensures the ISMS remains effective and reflects the current reality of the organization’s risks.

Read more

NIS2 Directive: A Strategic Cybersecurity and Resilience Framework for European Organizations

NIS2 Directive: A Strategic Cybersecurity and Resilience Framework for European Organizations

Introduction — Why NIS2 Matters Now The cybersecurity landscape in Europe has evolved rapidly. Nation-state threats, supply chain attacks, and critical infrastructure compromises have highlighted the need for stronger and more harmonized resilience requirements across the European Union. To address these challenges, the European Union adopted the NIS2 Directive (Directive (EU)

By gilles chevillon
ISO/IEC 27001: A Comprehensive Cybersecurity and Information Security Management Standard

ISO/IEC 27001: A Comprehensive Cybersecurity and Information Security Management Standard

Introduction — The Strategic Imperative of Information Security In today’s digital economy, information is a core business asset. Organizations routinely process sensitive corporate data, customer information, intellectual property, and strategic plans across interconnected systems. At the same time, cyber threats have increased in sophistication, scale, and frequency, exposing companies to

By gilles chevillon

The CRI Profile Explained: A Cybersecurity and Regulatory Reference Framework for Financial Institutions

Cybersecurity as a Regulatory and Resilience Imperative Cybersecurity has become a core pillar of financial regulation and operational resilience. For financial institutions, cyber risk now directly impacts financial stability, customer protection, and systemic trust. This shift is clearly reflected in major regulatory frameworks such as the EU Digital Operational Resilience

By gilles chevillon