The statement of applicability (also known as an SOA) is a document which identifies the controls chosen for your environment, and explains how and why they are appropriate. The SOA is derived from the output of the risk assessment/ risk treatment plan and, if ISO27001 compliance is to be achieved, must directly relate the selected controls back to the original risks they are intended to mitigate. Normally the controls are selected from ISO17799, but it is possible to also include own controls. A number of sector specific schemes are being introduced which stipulate additional mandatory controls.

The SOA should make reference to the policies, procedures or other documentation or systems through which the selected control will actually manifest.

It is also good practise to document the justification of why those controls not selected were excluded.

Once the Statement of Applicability is complete the next step is the implementation programme.