Click main image to view in full screen.
BENEFITS OF THIS PDF DOCUMENT
- You will plan your ISO 27001 better.
- You will use this template to evaluate your ISO 27001 ISMS implementation more effectively.
ISO 27001 PDF DESCRIPTION
This document describes fully the controls included in The ISO 27001/2 Statement of Applicability (SOA). It can be used to create as well as to audit your own SOA.
The Statement of Applicability (SOA) is a central, mandatory part of the ISO 27001 standard for Information Security Management Systems and is the main link between the risk assessment & treatment and the implementation of your information security.
The SOA explains which of the suggested controls from ISO 27001 Annex A you will apply, and justifies any excluded controls.
This PDF provides a comprehensive evaluation template for the ISO 27002 SOA, ensuring that all controls are meticulously assessed and documented. It includes detailed descriptions and requirements for various control categories, such as internal organization, access control, cryptography, and supplier relationships. Each control is clearly outlined with its objectives, applied status, and references, making it easy to track compliance and implementation.
Clause A.6 focuses on the organization of information security, detailing the roles and responsibilities for maintaining security within the organization. It emphasizes the importance of segregation of duties, contact with external authorities, and managing information security as an integral part of project management. This section ensures that all relevant controls are applied and documented, providing a robust framework for internal security management.
Clause A.12 addresses operations security, outlining the procedures and responsibilities for secure operation of information processing facilities. It covers aspects such as documented operating procedures, change management, capacity management, and audit considerations. This clause is crucial for maintaining the integrity and availability of information systems, ensuring that all operational aspects are securely managed and controlled.
Got a question about the product? Email us at support@flevy.com or ask the author directly by using the "Ask the Author a Question" form. If you cannot view the preview above this document description, go here to view the large preview instead.
MARCUS OVERVIEW
This synopsis was written by Marcus [?] based on the analysis of the full 33-slide presentation.
Executive Summary
This PDF is a working ISO 27001 Statement of Applicability template built around the ISO/IEC 27001:2013 control structure and Annex A control groups. It explains what the Statement of Applicability is, why it is mandatory within an ISMS, and how it connects risk assessment and risk treatment to actual control implementation. The document is designed to help a team create its own SoA or use the same structure to audit an existing SoA. It includes a short primer on ISO 27001, then moves into a clause-by-clause SoA evaluation template covering all 14 Annex A control groups from A.5 through A.18. Each control entry is set up for documenting the source for requirement, whether the control is fully applied, not applied, or partly applied, and the related inclusion or exclusion reference. Buyers can use it to document selected controls, justify excluded controls, map controls back to internal policies and procedures, and prepare supporting evidence for ISO 27001 compliance and audit activity. It is especially useful for organizations that need a structured, ready-to-customize SoA worksheet rather than a narrative overview of information security management.
Who This Is For and When to Use
• ISMS managers building or updating an ISO 27001 Statement of Applicability
• Information security leads documenting Annex A control selection and justification
• Risk and compliance teams linking risk treatment decisions to implemented controls
• Internal auditors reviewing whether the SoA is complete, consistent, and audit-ready
• Consultants supporting ISO 27001 implementation, gap assessment, or certification readiness
• Governance teams that need a structured control-by-control SoA reference
Best-fit moments to use this deck:
• During ISO 27001 implementation when the organization needs to draft its initial Statement of Applicability
• During risk treatment planning when selected controls must be tied back to identified risks
• Before an internal audit or certification audit when exclusions and evidence references need to be checked
• During SoA refresh cycles when control applicability, supporting policies, and partial implementation actions must be updated
Learning Objectives
• Define what the Statement of Applicability is within an ISO 27001 ISMS
• Explain how the SoA links risk assessment, risk treatment, and control implementation
• Identify the 14 ISO 27001 Annex A control groups covered in the template
• Document the source for requirement for each control using a repeatable structure
• Classify controls as fully applied, not applied, or partly applied
• Record inclusion and exclusion references for each control in a consistent format
• Build an SoA that references underlying policies, procedures, and other control documentation
• Review excluded controls and document the justification for non-application
• Use the template as an audit aid for checking SoA completeness and traceability
Table of Contents
• What Is ISO 27001 (page 3)
• ISO 27002 Statement of Applicability (page 4)
• ISO 27002 SoA Evaluation Template (page 4)
• Clause A.5: Information Security Policies (page 6)
• Clause A.6: Organization of Information Security (page 7)
• Clause A.7: Human Resource Security (page 9)
• Clause A.8: Asset Management (page 11)
• Clause A.9: Access Control (page 13)
• Clause A.10: Cryptography (page 16)
• Clause A.11: Physical and Environmental Security (page 17)
• Clause A.12: Operations Security (page 19)
• Clause A.13: Communications Security (page 23)
• Clause A.14: System Acquisition, Development and Maintenance (page 25)
• Clause A.15: Supplier Relationships (page 28)
• Clause A.16: Information Security Incident Management (page 29)
• Clause A.17: Information Security Aspects of Business Continuity Management (page 30)
• Clause A.18: Compliance (page 31)
• Further Resources (page 33)
Primary Topics Covered
• Statement of Applicability Structure - The document explains that the SoA identifies the controls chosen for the organization’s environment, explains why they are appropriate, and serves as the main link between risk assessment, risk treatment, and information security implementation.
• ISO 27001 Annex A Control Selection - The template is organized around the 14 Annex A groups, from information security policies through compliance, reflecting the 114 controls referenced in the document’s overview of ISO/IEC 27001:2013.
• SoA Evaluation Fields - Every control entry is structured around four working fields: Control, Source for Requirement, Applied, and Control Reference for inclusion or exclusion.
• Source for Requirement Coding - The template provides explicit source categories for control origin, including Risk Assessments, Corporate Policy, Contractual Agreement, Data Protection Law, and Compliance.
• Applied Status Tracking - The SoA format supports three applicability states for each control: fully applied, not applied, and partly applied, allowing teams to document both implemented and in-progress controls.
• Inclusion and Exclusion Justification - The control reference field is used to cite policy titles when a control is fully applied, explain absence when not applied, and record programmed actions when application is only partial.
• Clause-by-Clause ISMS Control Coverage - The template walks through policy, organization, HR security, asset management, access control, cryptography, physical security, operations security, communications security, system development, supplier management, incident management, continuity, and compliance.
• Audit and Implementation Use - The summary states directly that the document can be used both to create an SoA and to audit an SoA, making it useful for implementation work and compliance review.
Deliverables, Templates, and Tools
• ISO 27001 Statement of Applicability template covering all 14 Annex A control groups
• Control-by-control SoA worksheet for documenting applicability decisions
• Source for requirement tracking template using RI, CP, AG, DA, and CO source categories
• Applied status matrix for marking controls as Y, N, or P
• Inclusion and exclusion reference log for linking controls to policies, procedures, and justifications
• Information security policies reference list for fully applied controls
• Partial implementation action tracker for controls marked as partly applied
• Excluded control justification record for controls marked as not applied
• Clause-level evaluation tables for A.5 through A.18
• Audit review checklist format for checking whether SoA entries are complete and documented
Slide Highlights
• Summary page that explains the SoA as a mandatory, central part of ISO 27001 and the main bridge between risk treatment and implemented controls
• ISO 27001 overview pages that define the standard, the purpose of an ISMS, and the 10 clauses plus Annex A structure
• Template instructions that explain exactly how to complete Source for Requirement, Applied, and Control Reference fields
• Clause A.5 table that frames management direction and policy review as the starting point for the SoA
• Clause A.9 access control section that breaks user access, user responsibilities, and system/application access into separate control categories
• Clause A.12 operations security section that spans operating procedures, malware, backup, logging, software control, vulnerabilities, and audit considerations
• Clause A.14 development and maintenance section that covers security requirements, secure development, system change control, outsourced development, testing, and protection of test data
• Further Resources page that lists additional John Kyriazoglou publications and closes with a disclaimer that the material is educational and should be customized
Potential Workshop Agenda
SoA Scoping and ISO 27001 Alignment Session (60-90 minutes)
• Review what the Statement of Applicability is and how it connects to risk treatment
• Confirm the Annex A control groups that must be evaluated
• Align on how the organization will document source, applicability, and supporting references
Control Applicability Working Session (90-120 minutes)
• Walk through the clause tables from A.5 to A.18
• Mark each control as fully applied, not applied, or partly applied
• Capture first-pass rationale for exclusions and partial implementation items
Evidence and Reference Mapping Session (60-90 minutes)
• Link applied controls to information security policies, procedures, and system documents
• Document missing policy references and evidence gaps
• Clarify which partial controls require programmed improvement actions
Audit Readiness Review Session (60 minutes)
• Check whether SoA entries are traceable back to risk treatment decisions
• Review excluded controls and non-application justifications
• Prepare the SoA for internal audit, management review, or certification support
Customization Guidance
• Replace the generic control reference fields with your organization’s actual policy titles, procedures, standards, and system documents
• Tailor the source for requirement entries to reflect whether a control is driven by risk assessment, corporate policy, contractual obligation, data protection law, or compliance need
• Add your own control references where the organization uses controls beyond the standard Annex A list
• Use the partial application option to document programmed improvement actions for controls that are only partly implemented
• Expand exclusion justifications so they clearly explain why a control is not applicable in your environment
• Update the SoA after risk treatment changes so selected controls continue to map directly to the risks they mitigate
Secondary Topics Covered
• ISO/IEC 27001:2013 as an information security management standard
• ISMS as a set of policies, planning activities, responsibilities, procedures, processes, and resources
• Confidentiality, integrity, and availability as core information security outcomes
• Organizational context, leadership, planning, support, operation, performance review, and corrective action within the ISO 27001 structure
• Mobile devices and teleworking controls within organizational security
• Asset inventory, ownership, acceptable use, and return of assets
• Network controls, information transfer controls, and nondisclosure agreements
• Supplier relationship governance and supplier service delivery monitoring
• Incident reporting, incident response, learning from incidents, and collection of evidence
• Information security continuity, redundancies, and availability of information processing facilities
• Legal, contractual, privacy, intellectual property, and cryptographic compliance obligations
• Independent review of information security and technical compliance review
Topic FAQ
What is a Statement of Applicability in ISO 27001?
A Statement of Applicability (SoA) identifies which information security controls an organization has chosen, explains why they are appropriate, and documents justifications for excluded controls. It is a central, mandatory part of an ISO 27001 ISMS and serves as the main link between risk assessment/treatment and implemented controls across 14 Annex A control groups and 114 referenced controls.How should controls be documented in an SoA for traceability?
Controls should be recorded using a repeatable structure that captures the control itself, the Source for Requirement, whether it is Applied, and a Control Reference for inclusion or exclusion. A clause-by-clause SoA template organizes these entries for every Annex A group, using 4 working fields: Control, Source for Requirement, Applied, and Control Reference.What are common codes for the "Source for Requirement" field and when are they used?
Common source categories documented in SoA templates include Risk Assessments (RI), Corporate Policy (CP), Contractual Agreement (AG), Data Protection Law (DA), and Compliance (CO). These codes are used to show why a control is required and to link selected controls back to their originating source using the specified symbols RI, CP, AG, DA, and CO.What should I look for when choosing an SoA template for ISO 27001 work?
Choose a template that covers all Annex A control groups clause-by-clause, supports explicit Source for Requirement coding, includes an Applied status option (fully, not, partly applied), provides inclusion/exclusion reference fields, and offers an audit review checklist. A useful template will explicitly cover clauses A.5 through A.18.Are SoA templates useful for small ISMS teams with limited time and budget?
Templates offer a structured, ready-to-customize worksheet suited to teams that need to document and audit control applicability rather than read a narrative overview. The described resource begins with a short ISO 27001 primer and proceeds to a clause-by-clause evaluation template; the file is a 33-page PDF.How should I document excluded controls and the justification for non-application?
Excluded controls should be recorded in the Control Reference field with a clear rationale explaining why the control is not applicable, and supported by an excluded control justification record. The approach requires stating the absence reason in the Control Reference and maintaining an excluded control justification record for audit traceability.How can an SoA help prepare for an ISO 27001 certification audit?
An SoA links risk assessment and risk treatment decisions to selected controls and maps applied controls to underlying policies, procedures, and evidence. Using an SoA helps teams check that exclusions and evidence references are documented and traceable prior to internal or certification audits across the 14 Annex A control groups.What is the recommended way to track controls that are only partly implemented?
Partly implemented controls should be marked as "partly applied" in the Applied status field and captured in a partial implementation action tracker that records programmed improvement actions and timelines. The template supports a partly applied status and a partial implementation action tracker for planned remediation.Document FAQ
These are questions addressed within this presentation.
What is a Statement of Applicability in ISO 27001?
It is the document that identifies which information security controls the organization has chosen, explains why they are appropriate, and justifies any excluded controls. The PDF describes it as a central, mandatory part of the ISO 27001 standard for an ISMS.
Is this document a narrative guide or a working template?
It is both. It starts with a short explanation of ISO 27001 and the SoA, then provides a clause-by-clause evaluation template that can be filled in and also used to audit an existing SoA.
Does the template cover all Annex A control groups?
Yes. It includes 14 clause tables covering A.5 through A.18, which matches the Annex A control group structure described in the document.
How does the template capture why a control exists?
It uses a Source for Requirement field. The document lists Risk Assessments, Corporate Policy, Contractual Agreement, Data Protection Law, and Compliance as example sources.
How do I mark whether a control applies?
The Applied field uses three options. A control can be marked as fully applied, not applied, or partly applied.
What should go in the Control Reference field?
For fully applied controls, the document says to record the titles of the relevant information security policies. For controls not applied, it says to document the reasons for absence, and for partly applied controls, it says to note the programmed improvement actions.
Can this template support audit work?
Yes. The summary states that the document can be used both to create and to audit an SoA, so it can support internal review and certification preparation.
Does the PDF include only policy controls?
No. It spans a broad range of security control areas, including access control, cryptography, physical and environmental security, operations security, communications security, secure development, supplier relationships, incident management, business continuity, and compliance.
Does the template allow organization-specific controls beyond ISO 27001 Annex A?
Yes. The document states that controls are normally selected from ISO 27001, but it is also possible to include an organization’s own controls.
Is the document ready to use as-is?
It is ready to use as a structured base template, but the disclaimer makes clear that the material is for educational and training purposes and should be customized to the needs and environment of each organization.
Glossary
• ISO/IEC 27001 - An information security management systems standard described in the document as ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements
• ISMS - A set of interrelated elements including policies, planning activities, responsibilities, practices, procedures, processes, and resources used to manage information security
• Statement of Applicability - The document that identifies chosen controls for the environment and explains how and why they are appropriate
• SoA - Short form for Statement of Applicability
• Annex A - The section of ISO 27001 that lists controls and control objectives
• Risk Assessment - A source used to determine why a control is required and part of the link between risks and selected controls
• Risk Treatment Plan - The planning output from which the SoA is derived and to which selected controls should relate
• Source for Requirement - The field used to document where the need for a control originated
• Applied - The field used to show whether a control is fully applied, not applied, or partly applied
• Control Reference - The field used to document policy titles, exclusion reasons, or programmed improvement actions
• RI - Symbol used for Risk Assessments in the Source for Requirement field
• CP - Symbol used for Corporate Policy in the Source for Requirement field
• AG - Symbol used for Contractual Agreement in the Source for Requirement field
• DA - Symbol used for Data Protection Law in the Source for Requirement field
• CO - Symbol used for Compliance in the Source for Requirement field
• Inclusion - The documented basis for a control that is selected and applied
• Exclusion - The documented justification for a control that is not selected or not applied
• Partly Applied - A status showing that a control is not fully implemented and requires programmed improvement actions
• Information Security Policy - The top-level policy referenced in the A.5 control category as part of management direction for information security
• Technical Compliance Review - A control under A.18.2 used to review whether systems comply with security policies and standards
Source: Best Practices in ISO 27001 PDF: ISO 27001 ISMS: Statement of Applicability PDF (PDF) Document, John Kyriazoglou
