1. What is the Statement of Applicability (SoA)?
The Statement of Applicability (SoA) is one of the core documents for ISO 27001. It specifies how you will implement the 93 controls from Annex A that are recommended, which controls you won't implement, and why. It also explains each control's necessity and status of implementation.
Every ISMS must account for and record the company's legal, regulatory, and contractual obligations related to information security in accordance with ISO 27001. Additionally, you must provide a thorough explanation of how you satisfy those requirements.
To put it simply, your Statement of Applicability helps you define exactly which controls youโre exercising to fulfill those business-critical obligations.
And the best thing is that we got you covered ๐ค We give you an auditor-approved Statement of Applicability template to use and go through the audit process with no hassle.
โ
Where can I find my Statement of Applicability?
Where can I find my Statement of Applicability?
Locating your SoA template is a piece of cake. It is nestled in your Google Drive/Sharepoint folder. Navigate to Supporting Docs -> Statement of Applicability to find it.
Understanding the Statement of Applicability table
Understanding the Statement of Applicability table
Here's a breakdown of the tabs you'll find in the SoA table.
SOA: home page with basic information about the tool and its content - ideal to track progress within other tabs and who's working on them.
Clauses: general clauses of your information management system (ISMS). Check out the video below to learn more about it.
Organizational controls: measures that you can implement to manage information security risks and ensure compliance with legal, regulatory, and contractual requirements.
People controls: measures to manage the security of personnel within an organization.
Physical controls: focuses on all necessary controls to prevent unauthorized physical access, damage, and interference to an organization's information and associated assets.
Technological controls: outlines the various measures that you can implement to protect your information and associated assets from a range of security risks.
Version history: useful for you to track version changes as your team interacts with the SOA.
Additionally, the table features columns indicating in-house or outsourced maintenance of controls, their applicability, implementation status, and a column for justifying the applicability status.
2. What is the Frameworks page?
The Frameworks page is your cheat sheet for the audit. It is an automated version of your SoA available within the platform. It mirrors the SoAโs structure and content, but:
Shows automated checks (โ or โ) or manual evidence based on whatโs already imported or uploaded in the Secfix platform
Allows you to identify gaps quickly and displays which controls you still have to conform to
Helps guide how youโll later manually complete your SoA
โ Use the Frameworks page as your working tool to build out your SoA efficiently.
3. Working on the SoA with Frameworks page on hand
Start with the Frameworks page
Open the Frameworks page on the platform
Review which controls are already covered by existing policies and evidence.
Use the โ / โ system to identify what still needs to be uploaded or updated
โ
Keep Your SoA template on hand
For each control in the Frameworks page, check: โ if itโs completed: find the control in the SoA and mark it as applicable and confirm itโs implementation progress ( audit goal is 95%)
โ if itโs in progress/ incomplete:
did we complete all relevant task on the Secfix platform?
Is it applicable?
Why is it excluded (if at all)?
What policy or document demonstrates implementation?
Despite being rich in information, completing the SoA is straightforward. Your mission is to identify which controls are relevant to your operations. To make things easy for you, here's a video guide on how to work on the SoA.
Your SoA follows the same structure as the Frameworks page โ making it easy to track your implementation progress and prepare for the audit.
Hereโs how the two align:
SoA Tab | Corresponding Section in the Frameworks page | Description |
Home Page | โ | Overview of the SoA, team responsibilities, and progress tracking |
Clauses | C.4 โ C.10 | Includes all ISO 27001 core clauses (e.g. context, leadership, planning, support, performance evaluation, improvement) |
Organizational Controls | A.5 | Governance, risk management, and overarching security policies |
People Controls | A.6 | Personnel-related measures (e.g. awareness, responsibilities, disciplinary actions) |
Physical Controls | A.7 | Protection of physical locations and assets |
Technological Controls | A.8 | Technical safeguards like access control, encryption, and monitoring |
Version History | โ | Tracks all changes made to the SoA for audit trail and accountability |
5. Summary: SoA vs. Frameworks
Feature | Frameworks | Statement of Applicability (SoA) |
Purpose | Internal working tool | Official audit document |
Automated Checks | โ Yes | โ No |
Manual Evidence | โ Yes | โ No |
Mandatory for Audit | โ No | โ Yes |
Editable Fields | Some auto-filled | Fully manual |
Use Case | Identify gaps and assign tasks | Present decisions and justifications to auditor |
6. How the Frameworks page serves you during the audit
โ Use Manual Evidence to Support Your Controls
When a control in the Frameworks page includes manual evidence (such as screenshots, uploaded documents, meeting invites etc. ), this is your proof to the auditor. Always use this material to clearly show what actions you've taken to fulfill that specific control.
โ
๐ Example: The auditor would like to see control C.7.12 Competence. Watch this quick loom to understand how to look for that in the platform.
Tips to Remember:
Always start from the Frameworks page to streamline your SoA work
๐ฃ If you're unsure about applicability or evidence, feel free to reach out to our CISO AI!
Auditors love applicable controls: You should think of the SOA controls as applicable. Assigning them as N/A should be a last resort as auditors will always argue against it.
-> When stating why a control isn't applicable, offer a detailed explanation. Aim for two to three substantial sentences.
Need Help?
Our team is here to support you! Whether you're just getting started with your SoA or preparing for a last-minute audit, reach out via chat or email and we'll be happy to assist ๐