Part 3: Risk Treatment – The ISO 27001 Statement of Applicability

This is Part 3 of our series on implementing information security risk assessments. You can read Part 1, ‘How to start your risk assessment the easy way’, here, and Part 2, ‘Simplifying the information security risk assessment process’, here.

The Statement of Applicability (SoA) is one of the most important ISO 27001 documents you will produce. It should:

  • Identify the controls you’ve selected to address the risks you’ve identified
  • Explain why you’ve selected them
  • State whether or not they have been implemented
  • Explain why any ISO 27001 Annex A controls have been omitted

Although ISO 27001 doesn’t require you to use Annex A controls exclusively, you do have to check the controls you select from elsewhere against those in Annex A to ensure that each risk is appropriately mitigated.

This means that there will be at least 114 entries in your SoA – one for each Annex A control. Each of these will include extra information about each control and, ideally, link to relevant documentation about each control’s implementation.

A risk assessment report can be very long, so an SoA is a useful document for everyday operational use. It’s a simple demonstration that controls have been implemented and it’s a useful link to the relevant policies, processes, and other documentation and systems that have been applied to treat each identified risk.

Think of it as an index to your information security management system (ISMS).

ISO 27001 technical corrigenda

It is important to note is that two technical corrigenda were issued in 2014 and 2015 to address ambiguities in the original version of ISO/IEC 27001:2013. One of these corrigenda addresses the subclause that mentions the SoA, so it’s worth discussing here.

ISO 27001 Technical Corrigendum 2 – ISO/IEC 27001:2013/Cor.2:2015

Subclause 6.1.3 of ISO 27001:2013 originally stated that:

The organization shall define and apply an information security risk treatment process to:


d) produce a Statement of Applicability that contains the necessary controls (see 6.1.3 b) and c)) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.

This was rightly deemed ambiguous. Some auditors interpreted it as meaning that the SoA should show:

  • The necessary controls
  • Justification for including those necessary controls
  • Whether or not the necessary controls were implemented
  • Justification for excluding Annex A controls

Others interpreted it as meaning that it should show:

  • The necessary controls
  • Justification for including the necessary controls, regardless of whether they had yet been implemented
  • Justification for excluding Annex A controls

This may seem like a relatively minor difference in interpretation, but it led to a number of nonconformities being raised erroneously in certification audits.

ISO/IEC therefore issued a technical corrigendum in early 2015 to amend subclause 6.1.3 d) to read:

d) produce a Statement of Applicability that contains:

  • The necessary controls (see 6.1.3 b) and c));
  • Justification of their inclusion;
  • Whether the necessary controls are implemented or not; and
  • The justification for excluding any of the Annex A controls.

Technical Corrigendum 2 is available on the ISO website, as is Technical Corrigendum 1, which replaces subclause A.8.11.

We suggest that you download both when you buy your copy of the Standard. If you purchase the ISO 27001 standard from IT Governance, you automatically receive a copy of both.

Simplify the risk assessment process

The risk assessment software tool vsRisk™ produces an audit-ready ISO 27001 SoA that updates automatically as you go through your risk assessment, saving you time and money while improving the efficiency of your risk assessment process.

To find out more about vsRisk, click here >>