Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice

X

When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

What is the Statement of Applicability in ISO27001?

In some ways, the ISO27001 standard has an unusual structure. Although it follows the same “Annex SL” or High Level Structure layout as the other ISO management system standards, it also has this “Annex A” at the back, which gets a lot of attention, and is a major part of the ISO27001 standard. And, related to that, what is this “statement of applicability” that everyone keeps talking about? In this blog we’ll go through the purpose of Annex A and answer the question “what is the statement of applicability in ISO27001?”.

It’s a risk thing

So you may already be aware that ISO27001 is a risk-based standard. This means that the actions you take and the processes you put in place should be based on an assessment of your risks. The good news is that you therefore don’t need to put anything in place that really doesn’t apply to you. For example, if your organization doesn’t write bespoke code, then the ISO27001 standard doesn’t insist that you have a development environment and secure it appropriately – because for you, that doesn’t make sense. However, it does expect you to do something to address (or “treat”) the risks you do have. But what kinds of actions should you take to address these risks? Well, this is where the ISO27001 standard provides some helpful guidance in the form of the reference controls in Annex A. This is a list of 93 (down from 114 in the previous version, 2013) good ideas (or more specifically, “controls”) that you can use to reduce your levels of risk and make your organization that bit safer.

The process of risk assessment and treatment in ISO27001 then, is basically to look at what could happen, and to pick the appropriate controls from Annex A to improve your chances of the risk either not happening (reduce the likelihood), or to make it less of a problem if it does (reduce the impact), or ideally, both.

The Annex A shopping list

You could look at the set of controls in Annex A as a shopping list of best practice ideas that have been suggested by organizations all over the world and that are considered to be effective ways to improve the security of your information. The don’t just cover technical areas such as anti-malware, but address softer issues such as recruitment and employee awareness too.

But as we said earlier, this list may not apply to everyone. ISO standards are written to be used across the globe in all industries and in all shapes and sizes of organization. So there may be some on the list that just don’t apply to you. If you’re going for certification to ISO27001, then your auditor will want to know which of the controls in Annex A apply, and which ones don’t; and this is where the statement of applicability comes in.

What is the statement of applicability?

The standard is very clear that the statement of applicability is a mandatory document, and if you don’t have one when the certification auditor comes to call, you’re going to have an embarrassing few minutes with some very raised eyebrows, likely culminating in a major nonconformity (and nobody likes those).

So you definitely need one, but what does it look like?

Structure of the statement of applicability

Clause 6.1.3 d) of the ISO27001 standard says that you must produce a Statement of Applicability that contains the necessary controls, justification for their inclusion, whether they are implemented or not, and the justification for excluding any of the Annex A controls.

In practice this will be a list of the controls from Annex A and, for each control, an indication of whether that control is applicable or not (a yes or no answer), a brief reason for your decision and, for those that are applicable, a simple indication of how far you have got towards implementing it (this could be a yes or no answer, or perhaps some shades of grey, such as “partially”). This list often takes the form of a spreadsheet with columns for:

  • applicable/not applicable
  • reason for inclusion/exclusion
  • implementation status

There’s no need to indicate which risks from your risk assessment the control is applied to (although you can if you want to) and your justifications for inclusion or exclusion don’t need to be particularly long or wordy.

Tips for the audit

Your auditor will certainly be interested in seeing your statement of applicability and the focus will often be on those controls you have excluded, so make sure your justification is well thought through and a simple list of excluded controls is to hand (to save you searching the spreadsheet). Often the number of excluded controls is relatively small, with the most common areas of exclusion probably being around software development, resulting in maybe half a dozen non-applicables. Ensure your statement of applicability is version-controlled as it will probably change over time as your organization evolves.

Annex A is based on the ISO27002 standard which was updated in February 2022, and a new version of the ISO27001 standard was published in October 2022, bringing Annex A up to date. The new set of controls has only four groupings and a reduced number of controls, although much of this reduction is due to existing controls being merged together so in fact no controls have actually been removed. These changes will necessitate a new version of your statement of applicability with an updated list, but you will have three years to transition to the new situation.

In summary

Hopefully we have answered the question “what is the statement of applicability in ISO27001?” at least in overview and this will be helpful in preparing for certification to the standard. Don’t forget that this is a required document and that certain information must be given within it to make it valid. If you follow these simple guidelines then you shouldn’t have a problem at audit time.

 

Written by Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. Note, this blog has been updated in November 22 to reflect the new 2022 standard. 


More ISO27001 resources

CertiKit are a provider of ISO toolkits, consultancy and internal auditing services, and have helped more than 4000 organizations worldwide with their compliance.

For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.

Free ISO27001 Resources

We’ve helped more than 7000 businesses with their compliance

Testimonials

I like the fact that the documents are very comprehensive and more than sufficient for compliance.

Infoslips
South Africa

View all Testimonials