ISO 27001/2-2022 Version - Statement of Applicability (Excel XLSX)

This spreadsheet describes fully the contents and an example of the controls included in the ISO 27001/2 2022 version Statement of Applicability (SOA). It can be used to create as well as to audit your own SOA. It is made up of 4 parts: Read me; Organizational Controls; People and Physical Controls; and Technological Controls. It also contains an evaluation methos and a total assessment grade for each area or domain of controls. The Statement of Applicability (SOA) is a central, mandatory part of the ISO 27001 standard for Information Security Management Systems and is the main link between the risk assessment & treatment and the implementation of your information security. The SOA explains which of the suggested controls from ISO 27001 Annex A you will apply, and justifies any excluded controls.
The statement of applicability (also known as an SOA) is a document which identifies the controls chosen for your environment, and explains how and why they are appropriate. The SOA is derived from the output of the risk assessment/ risk treatment plan and, if ISO27001 compliance is to be achieved, must directly relate the selected controls back to the original risks they are intended to mitigate.
Normally the controls are selected from ISO27001, but it is possible to also include own controls. A number of sector specific schemes are being introduced which stipulate additional mandatory controls.
The SOA should make reference to the policies, procedures or other documentation or systems through which the selected control will actually manifest. It is also good practice to document the justification of why those controls not selected were excluded.
The following template contains 4 sections, one for each ISO 27001 clause (A.5, A6, A7 and A8).
For each ISO 27001 clause (e.g., Organizational Controls (Clause A5) and control category (e.g., Policies for information security) you must note in each table and entry the fields noted below, as per the template presented next.
TEMPLATE: <Control Title>
Control Description: <description of control as per ISO standard>
(1) Applicable: <YES or No>.
(2) Reason for Exclusion: <Not required to control risk>
(3) Implemented: <YES/NO>
(4) Compliance Control(s) or Measure(s): <Title of compliance control>
(5) Remarks: <Any relevant comments>
(6) Implementation Status: <5= Full implementation and kept up-to-date; 4=Full implementation; 3=Partial implementation; 2=Initial implementation; 1=Exists but not implemented; 0=Inexistent>.

This template provides a structured approach to documenting your organization's information security controls, ensuring compliance with ISO 27001 standards. It facilitates a clear overview of your control implementation status, helping to identify gaps and areas for improvement in your security posture.