Statement of Applicability (ISO 27001)
| Property | Value |
|---|---|
| Document ID | RISK-003 |
| Version | 1.0 |
| Status | Draft |
| Owner | Chief Information Security Officer (CISO) |
| Last Updated | 2026-01-11 |
| Next Review | 2027-01-11 |
| Related Controls | ISO 27001: 6.1.3(d) |
1. Purpose
The Statement of Applicability (SoA) is a mandatory ISO 27001 document that:
- Lists all controls from Annex A (ISO 27001:2022)
- States whether each control is applicable
- Provides justification for inclusion or exclusion
- References implementation evidence
2. Document Information
| Field | Value |
|---|---|
| Organization | [Company Name] |
| ISMS Scope | Information systems supporting [product/service] |
| ISO 27001 Version | ISO 27001:2022 |
| Annex A Version | ISO 27002:2022 (93 controls) |
| Prepared By | [name] |
| Approved By | [name] |
3. Applicability Legend
| Status | Description |
|---|---|
| Applicable | Control is relevant and implemented |
| Partially Applicable | Control is partially implemented |
| Not Applicable | Control is not relevant to scope |
| Planned | Control is applicable but not yet implemented |
| Implementation Status | Description |
|---|---|
| ✅ Implemented | Control is fully operational |
| 🔄 In Progress | Control implementation underway |
| 📅 Planned | Control planned for implementation |
| ❌ Not Applicable | Control excluded with justification |
4. Statement of Applicability - ISO 27001:2022 Annex A Controls
A.5 Organizational Controls
| Control | Title | Applicable | Status | Justification / Evidence |
|---|---|---|---|---|
| A.5.1 | Policies for information security | Yes | ✅ | POL-001: Information Security Policy |
| A.5.2 | Information security roles and responsibilities | Yes | ✅ | Defined in POL-001 and job descriptions |
| A.5.3 | Segregation of duties | Yes | ✅ | RBAC implementation, change management |
| A.5.4 | Management responsibilities | Yes | ✅ | Executive security committee, policy approval |
| A.5.5 | Contact with authorities | Yes | ✅ | Incident response plan (POL-008) |
| A.5.6 | Contact with special interest groups | Yes | ✅ | Industry group memberships documented |
| A.5.7 | Threat intelligence | Yes | ✅ | Threat intel feeds, vulnerability monitoring |
| A.5.8 | Information security in project management | Yes | ✅ | Security requirements in SDLC |
| A.5.9 | Inventory of information and other assets | Yes | ✅ | Asset inventory maintained |
| A.5.10 | Acceptable use of information and assets | Yes | ✅ | Acceptable use policy |
| A.5.11 | Return of assets | Yes | ✅ | Offboarding procedure (PROC-001) |
| A.5.12 | Classification of information | Yes | ✅ | POL-005: Data Classification Policy |
| A.5.13 | Labeling of information | Yes | ✅ | Labeling requirements in POL-005 |
| A.5.14 | Information transfer | Yes | ✅ | Secure transfer requirements defined |
| A.5.15 | Access control | Yes | ✅ | POL-002: Access Control Policy |
| A.5.16 | Identity management | Yes | ✅ | IdP implementation, unique user IDs |
A.6 People Controls
| Control | Title | Applicable | Status | Justification / Evidence |
|---|---|---|---|---|
| A.6.1 | Screening | Yes | ✅ | Background check process |
| A.6.2 | Terms and conditions of employment | Yes | ✅ | Employment agreements with security terms |
| A.6.3 | Information security awareness, education and training | Yes | ✅ | FW-004: Security Awareness Plan |
| A.6.4 | Disciplinary process | Yes | ✅ | HR disciplinary procedures |
| A.6.5 | Responsibilities after termination or change of employment | Yes | ✅ | Offboarding procedure, NDA |
| A.6.6 | Confidentiality or non-disclosure agreements | Yes | ✅ | NDA in employment agreements |
| A.6.7 | Remote working | Yes | ✅ | Remote work security requirements |
| A.6.8 | Information security event reporting | Yes | ✅ | Incident reporting in POL-008 |
A.7 Physical Controls
| Control | Title | Applicable | Status | Justification / Evidence |
|---|---|---|---|---|
| A.7.1 | Physical security perimeters | Partial | ✅ | Office access controls; cloud-primary |
| A.7.2 | Physical entry | Partial | ✅ | Badge access to office |
| A.7.3 | Securing offices, rooms and facilities | Partial | ✅ | Office security measures |
| A.7.4 | Physical security monitoring | Partial | 🔄 | CCTV in office areas |
| A.7.5 | Protecting against physical and environmental threats | Partial | ✅ | Cloud provider controls |
| A.7.6 | Working in secure areas | No | ❌ | No secure areas; cloud infrastructure |
| A.7.7 | Clear desk and clear screen | Yes | ✅ | Clean desk policy, screen locks |
| A.7.8 | Equipment siting and protection | Partial | ✅ | Cloud provider controls |
| A.7.9 | Security of assets off-premises | Yes | ✅ | Mobile device policy, encryption |
| A.7.10 | Storage media | Yes | ✅ | Encryption, secure disposal |
| A.7.11 | Supporting utilities | No | ❌ | Cloud infrastructure; no data center |
| A.7.12 | Cabling security | No | ❌ | Cloud infrastructure |
| A.7.13 | Equipment maintenance | Partial | ✅ | Endpoint management |
| A.7.14 | Secure disposal or re-use of equipment | Yes | ✅ | Secure wipe procedures |
A.8 Technological Controls
| Control | Title | Applicable | Status | Justification / Evidence |
|---|---|---|---|---|
| A.8.1 | User endpoint devices | Yes | ✅ | MDM, endpoint security |
| A.8.2 | Privileged access rights | Yes | ✅ | PAM, privileged access policy |
| A.8.3 | Information access restriction | Yes | ✅ | RBAC, access controls |
| A.8.4 | Access to source code | Yes | ✅ | GitHub access controls, branch protection |
| A.8.5 | Secure authentication | Yes | ✅ | MFA, POL-003 |
| A.8.6 | Capacity management | Yes | ✅ | Cloud auto-scaling, monitoring |
| A.8.7 | Protection against malware | Yes | ✅ | EDR, antivirus |
| A.8.8 | Management of technical vulnerabilities | Yes | ✅ | PROC-004: Vulnerability Management |
| A.8.9 | Configuration management | Yes | ✅ | PROC-003: Secure Configuration Standards |
| A.8.10 | Information deletion | Yes | ✅ | Data retention, secure deletion |
| A.8.11 | Data masking | Yes | ✅ | Masking in non-prod environments |
| A.8.12 | Data leakage prevention | Yes | 🔄 | DLP implementation in progress |
| A.8.13 | Information backup | Yes | ✅ | POL-009: Backup & Recovery Policy |
| A.8.14 | Redundancy of information processing facilities | Yes | ✅ | Multi-AZ, cloud redundancy |
| A.8.15 | Logging | Yes | ✅ | POL-007: Logging & Monitoring Policy |
| A.8.16 | Monitoring activities | Yes | ✅ | SIEM, alerting |
| A.8.17 | Clock synchronization | Yes | ✅ | NTP configured on all systems |
5. Summary Statistics
| Category | Total | Applicable | Not Applicable | Implemented | In Progress |
|---|---|---|---|---|---|
| A.5 Organizational | 37 | 37 | 0 | 37 | 0 |
| A.6 People | 8 | 8 | 0 | 8 | 0 |
| A.7 Physical | 14 | 10 | 4 | 9 | 1 |
| A.8 Technological | 34 | 34 | 0 | 33 | 1 |
| Total | 93 | 89 | 4 | 87 | 2 |
6. Exclusion Justifications
| Control | Justification |
|---|---|
| A.7.6 Working in secure areas | Organization does not operate secure/restricted areas; cloud-first infrastructure |
| A.7.11 Supporting utilities | No owned data center; cloud providers manage utilities |
| A.7.12 Cabling security | No owned data center; cloud infrastructure |
| A.7.8 Equipment siting (partial) | Limited on-premise equipment; cloud infrastructure |
7. Approval
| Role | Name | Signature | Date |
|---|---|---|---|
| CISO | _________________ | _________________ | ________ |
| CEO | _________________ | _________________ | ________ |
8. Related Documents
- Information Security Policy (POL-001)
- ISO 27001 ISMS Overview (FW-002)
- Control Mapping Matrix (RISK-004)
9. Version History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-01-11 | Security Team | Initial release |
This document is classified as INTERNAL. Unauthorized distribution is prohibited.