Statement of Applicability
For the Statement of Applicability, are we to justify ONLY what we would like to implement, or do we need to go through each control listed in Annex A and explain why we have (or haven't) decided to implement them?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
You need to go through all controls listed in Annex A and explain why we have (or haven't) decided to implement them.
Please note that according to ISO 27001, the following information must be included in the SOA:
- All applied controls
- Justification for inclusions
- Implementation status
- Justification for exclusions of controls from Annex A
You can also add information you consider relevant to help manage the ISMS (e.g., a brief description of how the control is implemented).
For further information, see:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Apr 06, 2023