ISO 27001:2022 Statement of Applicability (SoA)
The Statement of Applicability (SoA) is a unique document. It is primarily applicable to Information Security (IS) and Information Technology (IT) business environments. It is required for Information Security Management Systems (ISMS / ISO 27001). The SoA is documented by:
- P-800 (Statement of Applicability)
The SoA requires that your organization review each mandatory control, as listed in Annex A of the standard. As you review each control, determine whether the control is applicable to your organization. If a control is not applicable, use the SoA to identify the control as Not Applicable, and provide an explanation as to why it is not applicable.
If a control is applicable, use the SoA to identify the control as Applicable, and explain how your organization addresses and fulfills the control requirement.
When completed, the SoA should display your organization’s official position of applicability on each of the mandatory controls, explain fulfillment of each control, or justify non-applicability.
When being assessed, auditors will check your organization’s activities / processes against your SoA responses.
By implementing the SoA (P-800), your organization will conform to ISO 27001 Section 6 (Planning), Section 8 (Operation), and Annex A (Controls).
WI-802 (SoA Work Instruction) provides step-by-step instructions on how to use the Statement of Applicability (P-800).