What does the Statement of Applicability list?

The Statement of Applicability is a crucial document within the ISO 27001 framework, and it specifically lists the applicable controls from Annex A of the standard, along with any additional controls that may be deemed necessary for the organization’s information security management system (ISMS). This document provides a comprehensive overview of how each control is relevant to the organization's specific context, its risk assessment results, and the decisions made regarding the implementation of these controls.

The importance of the Statement of Applicability lies in its role as a foundational document for the implementation and continuous improvement of the ISMS. It serves as a reference point for auditors and management, offering clarity on the controls selected and their applicability. This also aids in demonstrating compliance with ISO 27001 during audits.

While it is important to track the number of incidents, identify employees involved in risk assessments, and correct documentation errors, these factors are not included in the Statement of Applicability. Therefore, the focus remains on defining those specific controls that the organization has chosen to implement or exclude, ensuring that all stakeholders understand the rationale behind these decisions.