Is a Statement of Applicability required by ISO 27001?

The Statement of Applicability (SoA) is indeed a required element of ISO 27001. This document serves several crucial purposes within the context of an information security management system (ISMS). Firstly, it outlines which controls from Annex A of the standard are applicable to the organization based on its risk assessment and the specific context of its operations. This allows organizations to clearly identify how they are managing information security risks.

Additionally, the SoA provides a summary of the current state of those controls, indicating whether they are implemented, not implemented, or partially implemented. This is fundamental for the continuous improvement aspect of the ISMS, as it helps organizations track progress and make informed decisions on addressing vulnerabilities.

The requirement for a Statement of Applicability is consistent across organizations regardless of their size or risk profile, making it essential during the establishment and maintenance of the ISMS. Therefore, the understanding and documentation of applicable controls through the SoA is a critical component of compliance with ISO 27001.