Implementing ISO standards is a time-honored way to demonstrate that your business takes excellence seriously — that you strive for rigorous standards in quality, cybersecurity, and information management. 

ISO 27001 is the ISO standard for information security management systems. Organizations around the world strive to achieve compliance with ISO 27001 so they can manage modern information security challenges (which are many), and position themselves as trustworthy business partners to their customer base. Related: Guide to ISO 27001

All that sounds great, but one of the principal challenges of ISO 27001 compliance is simply knowing what you want to do to achieve that compliance. Your organization must first write a Statement of Applicability, outlining which controls in the ISO 27001 standard are the appropriate ones to implement at your organization and which ones aren’t necessary.

In other words, the Statement of Applicability (SoA) helps to determine the scope of your ISO 27001 project. Crafting the right SoA is a tremendously important part of the entire process. Let’s take a deep dive into how to do that.

A crash course on ISO 27001

As we mentioned earlier, ISO 27001 is an internationally recognized standard for information security management systems (ISMS). Implementing the standard in your business provides a systematic, disciplined approach to managing and protecting sensitive information within your company: personally identifiable information, health or financial data, intellectual property, or other valuable information you need to keep secure. Compliance with ISO 27001 demonstrates your company’s commitment to safeguarding data, which impresses potential customers and also helps you comply with data privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA, the California Consumer Privacy Act (CCPA) in the United States, or the General Data Protection Regulation (GDPR) in Europe. 

Achieving ISO 27001 compliance is not easy. It entails a risk assessment, where you compare your current information security processes to those dictated by ISO 27001 and then a process of implementing new policies, procedures, and other controls to close whatever gaps you find. You might need to implement new employee training, and you’ll need to perform regular internal audits and management reviews of your ISMS. The list of potential corrective actions you might need to take — and new practices you’ll need to follow — is long.

The finish line of ISO 27001 compliance is an external audit performed by an independent auditor accredited by a recognized certification body. Your business is then certified as ISO 27001-compliant.

The controls that constitute the ISO 27001 standard are listed in an appendix to the standard that’s known as Annex A. It contains 93 individual controls grouped into four larger control categories:

  1. Organizational
  2. People
  3. Physical
  4. Technological

Not every company needs to implement all 93 controls listed in Annex A. You only need to implement the controls that make sense for your specific company, business objectives, and information security risks.

Enter: The ISO 27001 Statement of Applicability

Your SoA winnows down that list of 93 controls in Annex A to the smaller number of controls you plan to implement at your company. At the start of your ISO 27001 journey, the SoA helps to define the scope of your information security management system and serves as a roadmap of what work needs to be done to align your information security practices with ISO standards. 

Along the way, however, auditors (both internal and external) will use the SoA as a reference document to assess your compliance with ISO 27001. The auditors will examine your controls, check whether those controls align with the controls outlined in the SoA, and verify that the controls have been implemented appropriately. 

Simply put, a well-structured and accurate SoA is essential for you to understand what you need to do to achieve ISO 27001 compliance and for others to verify that you have done everything necessary. 

More formally, we can define several portions of the SoA that should always be included:

Scope clarification

The SoA helps define the scope of your ISMS. That is, it specifies the business processes, IT systems, data, and other IT assets covered by the Annex A controls you decide to implement. This assures that auditors and anyone reading the SoA will understand exactly what your ISMS entails and how it fits into the larger business.

Control selection

This is where you list the security controls you’ve selected from Annex A. You can organize them by the four control categories mentioned earlier, then list each selected control in its relevant category. Include the objective for each control as well.

Rationale and justification

For each selected control, your SoA should include a few sentences about why the control’s inclusion is necessary and how it supports your security needs. This helps auditors and stakeholders understand the thinking behind your cybersecurity program.

Implementation status

Your SoA should indicate whether each selected control has been fully implemented, partially implemented, or not implemented at all. In some cases, a control might be deemed not applicable, and the SoA should provide reasoning for that decision, too.


The SoA should include references to related documents or evidence that support the implementation and effectiveness of the selected controls. For example, you could point to employee training data, results of vulnerability scans, user access policies, and so forth.

You’ve probably also realized that the SoA is not a static document. On the contrary, you and your security team should review and update the SoA often, to reflect changes in your security posture, risk assessment, or control implementations. So, in that respect, the SoA helps auditors understand your cybersecurity journey over time as much as it helps them understand what you planned to do from the start.

Crafting the ISO 27001 Statement of Applicability

Crafting your SoA can be challenging. It has many components, and precision is important. You’ll need to proceed carefully through every step. 

First, consider involving an experienced ISO 27001 auditor or consultant to help you write the SoA. They can provide guidance about what makes sense to include, what format to use, and otherwise offer guidance and assurance that your SoA will meet the needs of your ISO 27001 project.

As early as possible, consult other important business functions in your enterprise such as IT, legal, compliance, marketing, and others as necessary. They can provide valuable insights about what your biggest information security risks truly are, and help determine which controls are necessary and practical given your operations.

Next will come an exercise in documentation. Remember what we said before about “references” within the SoA, where the selected controls are tied back to relevant policies, records, and other information. You’ll need to identify that supporting evidence and keep it preserved in a single, secure database. Be sure that each selected control lists all its relevant evidence, and no more; now is not the time for your SoA to be derailed by duplicative, outdated, or incorrect supporting materials.

The SoA should also be reviewed and approved by senior management. You want to be sure that it accurately represents the company’s ambitions for ISO compliance and is endorsed by senior management so that other parts of the enterprise will understand the urgency of taking your ISO project seriously.

Then, as necessary, review and update the document. For example, you might replace obsolete policies with new ones; that should be captured in the supporting documentation. Or you might decide that upon further testing, it’s appropriate to drop some Annex A controls but add others. Any such changes should be incorporated into the Statement of Applicability on a timely basis.

Use the right tools

CISOs might look at all these demands and wonder: isn’t the SoA more like a spreadsheet? Well, yes and no. 

Yes, the information that the SoA needs to contain is best organized in a grid format, and that’s the structure a spreadsheet uses. You need to be meticulous in listing each Annex A control, its supporting references, its latest implementation status, and so forth. So, when viewing all that data at a glance, you’ll likely see something that looks like a spreadsheet. 

That said, spreadsheets are terribly risky as tools to compile your SoA. You need to bring together information from across the enterprise, and that information might evolve. That means you need the fabled “single source of truth” to maintain version control. 

Ideally, you also want a technology tool with strong control-mapping capabilities, so you can track your controls and remediation more easily. You’ll also want a platform with automatic alerting and escalation capabilities since you’ll be dealing with so many people inside and outside your organization.

With the right tool, however, drafting your SoA won’t be nearly as daunting as it seems. Then you can embark on your ISO 27001 project confidently with and ultimately succeed.

Hyperproof optimizes your workflows to achieve ISO 27001 compliance

Hyperproof is the compliance operations software solution that helps organizations implement, monitor, and maintain an ISMS that conforms to the ISO 27001:2022 standard in the most effective way possible. With Hyperproof, Glance Networks was able to create a single source of truth for compliance and automated routine, and repetitive work, streamlining workflows, and reducing work for teams across the organization. Read the case study.

To see the Hyperproof platform in action, schedule a demo with our team today.

Monthly Newsletter

Get the Latest on Compliance Operations.
Subscribe to Hyperproof Newsletter