Statement of Applicability (SOA) Template

Estimated reading: 3 minutes 2112 views

What is the Statement of Applicability (SOA) Template?

A Statement of Applicability (SOA) Template is a key component of any ISO standard, as it provides an overview of the organization’s approach to managing specific risks and demonstrates how the organization meets the requirements of the standard. It is a document used in Information Security Management Systems (ISMS) to outline the applicability of security controls defined in a particular standard or framework, such as ISO/IEC 27001. The SOA serves as a roadmap for organizations to identify which security controls are relevant to their specific context, risks, and objectives.

The SOA template identifies the controls that the organization has selected and implemented to manage its information security risks.

How do I use it?

For a TrustCloud customer,

  1. SOA can be automatically populated. Once SOA is populated, you need to check column L for any exclusions.

For non-TrustCloud customers, the following columns need to be filled out:

  1. Column F: In this column, mark if Annex A IS control is applicable to your organization.
  2. Column G: In this column, document all necessary controls implemented to address the Annex A IS controls.
  3. Justification Columns [H to K]: Mark an X where necessary for each Annex A IS control. Use the legend for control inclusion as guidance.
  4. Column L: In this column, for any Annex A IS control excluded, explain why.

Value to the organization:

The Statement of Applicability (SOA) template helps organizations by providing a structured framework to identify and document the security controls relevant to their Information Security Management System (ISMS). It outlines which controls are implemented, justified, and why others may be excluded, ensuring transparency and alignment with ISO 27001 requirements. The SOA assists in risk management by linking controls to identified risks, aiding in compliance and audit readiness. It serves as a reference for continuous improvement and decision-making, helping organizations demonstrate their commitment to information security and regulatory compliance, ultimately enhancing their overall security posture.

Use this template to record the SOA process and provide an audit trail to satisfy SOA control during the audit.

What control does it satisfy?

Completing this template helps satisfy the following controls:

BIZOPS-31 Statement of Applicability An organization maintains a Statement of Applicability document, which summarizes the organization’s position on each ISO 27001 Annex A control.

The following screenshot shows the Statement of Applicability (SOA) Template.

Statement of Applicability

Learn more about TrustOps to create and maintain a personalized common control framework (CCF) that automatically maps each control to many compliance standards.

Want to see how to turn GRC into a profit center?
Ready to save time and money on audits, pass security reviews faster, and manage enterprise-wide risk? Let’s talk!

Have a question? Join our TrustCommunity to learn about security, privacy, governance, risk and compliance, collaborate with your peers, and share and review the trust posture of companies that value trust and transparency!

Please download the template from here:

Join the conversation