Statement of Applicability

A Statement of Applicability is a documented summary of which information security controls an organization has selected, omitted, and implemented to meet the requirements of ISO/IEC 27001, including justifications and implementation status for each control.

Expanded Explanation

1. Technical Function and Core Characteristics

A Statement of Applicability documents the applicability, selection, exclusion, and implementation status of information security controls from ISO/IEC 27001 Annex A or a comparable control set. It also records justifications for both inclusion and exclusion decisions for each control. The document establishes traceability between identified information security risks, risk treatment decisions, and the chosen controls that form part of the organization’s Information Security Management System (ISMS).

The Statement of Applicability usually references the organization’s risk assessment and risk treatment plan and indicates whether each control is implemented, planned, or not applied. It functions as an auditable record for certification bodies and internal governance, supporting verification that the control environment aligns with declared policies and risk acceptance criteria.

2. Enterprise Usage and Architectural Context

Enterprises use the Statement of Applicability as a central artifact within the ISMS lifecycle defined by ISO/IEC 27001. Security architects and control owners use it to align technical, procedural, and organizational controls with business processes, assets, and risk scenarios. The document supports coordination between enterprise architecture, security architecture, and risk management by mapping each control to systems, locations, and organizational units where it applies.

In technology and cloud environments, the Statement of Applicability helps document which controls the organization manages directly and which it allocates to service providers or shared-responsibility arrangements. It also supports integration with internal control frameworks, regulatory mappings, and Governance, Risk, and Compliance (GRC) tooling by providing a structured catalog of controls and their status.

3. Related or Adjacent Technologies

The Statement of Applicability relates to the ISO/IEC 27001 risk assessment, risk treatment plan, and Annex A control set, as well as to ISO/IEC 27002, which provides detailed implementation guidance for the same controls. It also connects to broader control catalog frameworks such as NIST Special Publication 800-53 and sector-specific regulatory control lists through mapping activities. GRC platforms often model the Statement of Applicability as a configuration item to manage control scope, ownership, and evidence collection.

The document also interacts with policies, standards, and procedures that operationalize the selected controls in daily practice. Internal and external auditors refer to the Statement of Applicability to scope audits, test control design and operating effectiveness, and confirm that declared exclusions and risk acceptances align with documented criteria.

4. Business and Operational Significance

For management and certification bodies, the Statement of Applicability provides a verifiable list of security controls that support ISO/IEC 27001 certification and ongoing conformity assessments. It offers transparency on why the organization has implemented or excluded controls and how those decisions relate to documented risks. This clarity supports governance decisions, resource allocation for control implementation, and oversight of the ISMS.

Operational teams use the Statement of Applicability as a reference for control ownership, scope, and status, which aids in planning remediation work, tracking improvements, and preparing for surveillance or recertification audits. Customers, partners, and regulators may review the Statement of Applicability, under agreed disclosure arrangements, to understand the organization’s control posture in relation to contractual, regulatory, or supply chain security expectations.