What is a ISO 27001 Statement of Applicability SoA?

What is a ISO 27001 Statement of Applicability SoA ?

What is a Statement of Applicability (SOA) for ISO 27001 in 27002?

ISO 27001 in the International Standard Organisation’s (ISO) Information Security Management System (ISMS)

ISO 27001 references a document that it calls the Statement of Applicability or SoA.

There’s something confusing about the name.

Simply put, the Statement of Applicability is a list of security controls.

A list of security controls is far easier to understand!

If you’re aligning with the ISO 27001 standards, you will need to demonstrate that you’ve considered all the controls in ISO 27001 Annex A, which just happens to also be the controls that are detailed in ISO 27002.

Beware, ISO 27002:2013 (released in 2013) is still in use, but ISO 27002:2022 (unsurprisingly released in 2022) will soon be taking its place.

So, simply, the ISO 27001 Statement of Applicability is a list of security concerns, which should consider the controls listed in ISO 27002.

Contact Us

Want to know more, or need a hand with ISO 27001, information security, data protection, compliance or risk management?

Give us a bell on 0800 292 2126 or just send us a message: