Skip to content
Log in

Statement of Applicability (SoA)

Definition

A mandatory document listing every ISO/IEC 27001 Annex A control with a statement of whether it is included or excluded, the justification for each decision, and, for included controls, a reference to implementation evidence. The SoA is the primary audit reference for control coverage.

Related terms

Annex A
The normative annex to ISO/IEC 27001 that lists 93 information security controls across four themes: organisational (37 controls), people (8), physical (14),...
Risk owner
The individual or role accountable for ensuring a risk is treated appropriately and that the treatment remains effective. Owners should control the...
Continual improvement
The ISO/IEC 27001 requirement (clause 10) that the organisation must actively improve the suitability, adequacy, and effectiveness of the ISMS over time....
High-Level Structure (HLS)
The common clause framework mandated by ISO for all management system standards. Clauses 4 through 10 of ISO 27001 follow the same...
Information Security Management System (ISMS)
The set of policies, processes, procedures, and controls that an organisation establishes to manage information security risk. ISO 27001 specifies the requirements...
ISMS scope
The explicit boundaries of the management system: which organisational units, sites, processes, and information assets are covered. Defined under ISO/IEC 27001 clause...
ISO/IEC 27002
A guidance standard (not certifiable) that provides implementation advice for each of the 93 controls in ISO 27001 Annex A. Updated in...
Management review
The annual governance meeting required under ISO 17025 Clause 8.9, at which laboratory management reviews the aggregated quality performance data (PT results,...
Residual risk
The risk that remains after controls are applied. If residual risk exceeds the organisation's risk appetite, further treatment is required or management...
Risk appetite
The amount and type of risk an organisation is willing to accept in pursuit of its objectives, as defined by its governing...
Risk register
A structured record of all identified risks, each with its description, inherent risk score, owner, treatment decision, controls selected, residual risk score,...
Risk treatment
The process of selecting and implementing options to modify risk. ISO/IEC 27005 defines four treatment options: accept, avoid, mitigate (reduce), and transfer...

Explained in these topics

  • Designing and Implementing an ISMSA mandatory document listing every ISO/IEC 27001 Annex A control with a statement of whether it is included or excluded, the justification for each decision, a...
  • ISO/IEC 27001: Standard Structure and RequirementsA mandatory document required by Clause 6.1.3 that lists all 93 Annex A controls, states which are applicable, justifies any that are excluded, and references...
  • Risk Treatment and the Risk RegisterA document required by ISO/IEC 27001 that lists all controls from Annex A, records whether each is applicable to the organisation, and references the treatment...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account