ISO 27001 Statement of Applicability Examples
Practical Statement of Applicability examples, SoA rationale templates, and inclusion exclusion criteria for ISO 27001 certification audits.
ISO 27001 Statement of Applicability Examples
The Statement of Applicability (SoA) determines which of ISO 27001’s 93 Annex A controls apply to your organization—and which do not. Auditors scrutinize this document closely. Poor rationale leads to nonconformities, delays, and certification failure.
What Makes a Good SoA Entry
Every control entry requires six elements:
- Control reference (A.x.x format)
- Control title (from Annex A)
- Applicability (Yes/No/Partial)
- Justification for inclusion or exclusion
- Implementation approach (how the control operates)
- Responsible party (who owns the control)
Weak rationale includes vague statements like “not applicable to our business.” Strong rationale references specific organizational characteristics, compensating controls, or documented risk acceptance.
Statement of Applicability Examples
Included Control: A.5.1 Information Security Policies
| Element | Entry |
|---|---|
| Applicability | Yes |
| Justification | Required for all organizations per ISO 27001:2022 clause 5.1. Policies define ISMS scope, roles, and management commitment. |
| Implementation | Master Information Security Policy (v3.2) approved by Board 2024-01-15. Quarterly review cycle. Published on intranet. |
| Owner | Chief Information Security Officer |
Excluded Control: A.7.13 Equipment Disposal
| Element | Entry |
|---|---|
| Applicability | No |
| Justification | Organization operates 100% cloud-native infrastructure. No on-premise servers, workstations, or mobile devices owned. All hardware managed by AWS and Microsoft Azure under ISO 27001-certified data center contracts. Exclusion justified under clause 6.1.3 with compensating control A.5.23 (cloud service agreements) addressing hardware lifecycle. |
| Implementation | N/A—control excluded with documented rationale |
| Owner | N/A |
Partial Implementation: A.8.9 Configuration Management
| Element | Entry |
|---|---|
| Applicability | Partial |
| Justification | Configuration management fully implemented for production cloud infrastructure via infrastructure-as-code (Terraform) and automated compliance scanning (Wiz CSPM). Development environments use IaC but lack automated drift detection. Partial implementation justified; full implementation planned Q3 2026 per risk treatment plan. |
| Implementation | Production: Terraform + Wiz. Non-production: Terraform only. Manual reviews monthly. |
| Owner | VP of Infrastructure |
Justified Exclusion: A.7.7 Clear Desk and Clear Screen Policy
| Element | Entry |
|---|---|
| Applicability | No |
| Justification | Remote-first organization with no corporate office. 100% of workforce operates from home offices. Physical security of work environment addressed via A.6.5 (remote working policy) requiring secure home office setup. Clear desk requirements impractical and unnecessary given zero on-site presence. Risk accepted by management. |
| Implementation | N/A—control excluded with documented rationale |
| Owner | N/A |
High-Risk Inclusion: A.8.16 Monitoring Activities
| Element | Entry |
|---|---|
| Applicability | Yes |
| Justification | Critical for detecting unauthorized access and policy violations. High-risk environment due to customer data processing and PCI-DSS scope. Mandatory per organizational risk assessment (RA-2024-003). |
| Implementation | Datadog SIEM monitors all production systems. Alerting configured for privilege escalation, data exfiltration patterns, and failed authentication. Logs retained 12 months. Weekly review by SOC team. |
| Owner | Security Operations Manager |
Third-Party Compensation: A.8.1 User Endpoint Devices
| Element | Entry |
|---|---|
| Applicability | Yes |
| Justification | Organization issues corporate devices to 85 employees. BYOD prohibited for systems accessing customer data. Control required to ensure device security baseline. |
| Implementation | Microsoft Intune MDM enrollment mandatory. Device compliance policies enforce encryption, PIN requirements, OS patching within 7 days. Non-compliant devices blocked from corporate resources. Quarterly device audits. |
| Owner | IT Manager |
SoA Template Structure
Organize your Statement of Applicability in this column format:
| Control | Title | Applicable? | Justification | Implementation | Owner |
|---|---|---|---|---|---|
| A.5.1 | Information security policies | Yes | Required for all organizations | Master policy v3.2, quarterly reviews | CISO |
| A.5.2 | Information security roles | Yes | Required for ISMS governance | RACI matrix documented | CISO |
| A.7.13 | Equipment disposal | No | Cloud-only infrastructure | N/A—compensating control A.5.23 | N/A |
| A.8.9 | Configuration management | Partial | Production fully covered; dev gaps documented | Terraform + Wiz (prod), Terraform only (dev) | VP Infra |
Include all 93 Annex A controls. Do not omit rows for excluded controls—auditors expect to see every control addressed.
Common SoA Mistakes to Avoid
- Vague justification: “Not needed” or “doesn’t apply” fails audit. Reference specific organizational facts, compensating controls, or risk acceptance decisions.
- Missing compensating controls: When excluding A.7.x physical controls for cloud environments, cite A.5.23 cloud agreements and provider certifications.
- Inconsistent implementation status: If A.8.9 is “Partial,” the implementation column must explain exactly what is and is not covered.
- No ownership: Every applicable or partially applicable control needs a named responsible party, not just a department.
Certification Audit Preparation
Auditors test SoA rationale during Stage 1 (documentation review) and Stage 2 (implementation evidence). Prepare by:
- Ensuring justification aligns with your ISMS scope statement
- Confirming implementation descriptions match actual control operation
- Verifying control owners can explain their responsibilities
- Documenting management review and approval of the SoA
The SoA is a living document. Update it when scope changes, new risks emerge, or control implementations mature.
Ready to build your Statement of Applicability? See our ISO 27001 Compliance & Audit Readiness guide for complete implementation support.