Skip to main content
All CollectionsAudit Readiness and Certification11 | Audit Readiness & Internal Audit
Statement of Applicability (SOA)
Statement of Applicability (SOA)
Fabiola Munguia avatar
Written by Fabiola Munguia
Updated over a year ago

The Statement of Applicability (SoA) is one of the core documents for ISO 27001. It specifies how you will implement the 93 controls from Annex A that are recommended, which controls you won't implement, and why. It also explains each control's necessity and status of implementation.

Every ISMS must account for and record the company's legal, regulatory, and contractual obligations related to information security in accordance with ISO 27001. Additionally, you must provide a thorough explanation of how you satisfy those requirements.

To put it simply, your Statement of Applicability helps you define exactly which controls you’re exercising to fulfill those business-critical obligations.

And the best thing is that we got you covered 🀝 We give you an auditor-approved Statement of Applicability template to use and go through the audit process with no hassle!

Where can I find my Statement of Applicability? πŸ”

Locating your SoA template is a piece of cake! It is nestled in your Google Drive/Sharepoint folder alongside your other no-code tools and policies. Navigate to ISO27001 Docs -> Statement of Applicability to find it.

Understanding the Statement of Applicability table πŸ“‹

Initially, the table may seem overwhelming due to the plethora of information present. No worries, we're here to simplify it for you 😁. Here's a breakdown of the tabs you'll find in the SoA table.

  1. SOA: home page with basic information about the tool and its content - ideal to track progress within other tabs and who's working on them.

  2. Clauses: general clauses of your information management system (ISMS). Check out the video below to learn more about it.

  3. Organizational controls: measures that you can implement to manage information security risks and ensure compliance with legal, regulatory, and contractual requirements.

  4. People controls: measures to manage the security of personnel within an organization.

  5. Physical controls: focuses on all necessary controls to prevent unauthorized physical access, damage, and interference to an organization's information and associated assets.

  6. Technological controls: outlines the various measures that you can implement to protect your information and associated assets from a range of security risks.

  7. Version history: useful for you to track version changes as your team interacts with the SOA.

Additionally, the table features columns indicating in-house or outsourced maintenance of controls, their applicability, implementation status, and a column for justifying the applicability status.

How to complete the Statement of Applicability πŸ–ŠοΈ

Despite being rich in information, completing the SoA is straightforward. Your mission is to identify which controls are relevant to your operations. To make things easy for you, here's a video guide on how to work on the new SOA.

Don't have enough time to watch the video? No problem. Click on the collapsed titles to get a written summary of the video:

I'm working on the SOA for the first time

  1. Use the SOA tab to track your progress within the different SOA sections.

  2. Use the Clauses tab to prepare for the internal audit with Secfix. The goal is the implement every control displayed on this tab.

    1. Copy the text (ctrl + c) for the control you want to work on located in column D (Control name).

    2. On your Secfix app, go to Security Reports and click on ISO 27001 Report.

    3. Press ctrl + f on your keyboard to open the search feature of your browser and then paste the text (ctrl + v) on it.

    4. Secfix will show you whether you have that particular control implemented or not. If you have green checks on it, feel free to add 100% implementation over on the Clauses tab for that particular control.

    5. If you don't have a green check mark on that control, you now know how to fix it πŸ’ͺ

  3. The remaining tabs (the ones that start with numbers) are exclusive to the SOA and you'll repeat the following process for every one of them.

    1. Review the controls and their descriptions.

    2. Assess whether they're applicable or not to your operation.

    3. Write down the justification for the inclusion/exclusion of this control by using the template answers we added to column J.

    4. Pro tip πŸ’‘Easily replace dummy text within column J by pressing ctrl + f on your keyboard and then clicking on the three dots (...). That way you'll be able to replace the dummy text for your company name.

    5. As these controls get implemented, add 100% completion to them on the spreadsheet.

  4. Use the Version history tab to manage different versions of the SOA whenever it gets used by your team.

I want to migrate my old SOA (2013/2017) to the new version (2022)

  1. Thanks to your feedback, we added Clauses to the SOA. This will replace your old Internal Audit Checklist (POL-07.1) and can be used to go through the internal audit process with Secfix. Here's how to work on it:

    1. Copy the text (ctrl + c) for the control you want to work on located in column D (Control name).

    2. On your Secfix app, go to Security Reports and click on ISO 27001 Report.

    3. Press ctrl + f on your keyboard to open the search feature of your browser and then paste the text (ctrl + v) on it.

    4. Secfix will show you whether you have that particular control implemented or not. If you have green checks on it, feel free to add 100% implementation over on the Clauses tab for that particular control.

    5. If you don't have a green check mark on that control, you now know how to fix it πŸ’ͺ

  2. There are now fewer controls to work on and they've been merged into 4 separate sections (Organizational, People, Physical, and Technological).

  3. We improved the template answers we give on the Justification for inclusion/exclusion column.

  4. We added the Gap Analysis column on the SOA so that every new control is properly mapped to the old SOA version (2013/2017).

πŸ”₯ Hot Tips to Remember:

  • Auditors love applicable controls: You should think of the SOA controls as applicable. Assigning them as N/A should be a last resort as auditors will always argue against it.

  • Justification: When stating why a control isn't applicable, offer a detailed explanation. Aim for two to three substantial sentences.

  • Review Regularly: Ensure to revisit the SoA towards the end of your certification project to update any necessary statements.

Need Assistance? πŸ™‹

If you find yourself with more questions, don't hesitate to reach out via our in-app chat feature. We're here to facilitate a smooth and successful certification process.


​

Related Articles
Introducing ISO 27001:2022: A Modern Guide for Our Valued Customers
ISO 27001 Project Status Report
How to prepare for an internal audit
How to prepare for the Stage I Audit
Best Practices for Cloud Security and Continuous Monitoring
Did this answer your question?