Sharing a Statement of Applicability (SOA) for ISO/IEC 27001:2013

Richard Regalado

Trusted Information Resource
Covers, sharing with you a template which I have been using for quite sometime. This format has passed several audits already. This template encompasses the requirements of Clause 6.1.3.d of the ISO/IEC 27001:2013.

The requirement for SOA includes:
- contain necessary controls determined for the risk treatment options chosen;
- contain other controls necessary that are not part of those determined as risk treatment options;
- justification for inclusion of the controls (not part of the 2005 version requirement);
- implementation status; and
- justification for excluding controls.

Feel free to comment on the attached document. Feel free to use it. The document shared is fully editable. If you will improve the attached document, please share a copy here.


Richard Regalado


  • Statement of Applicability for ISO 27001.xlsx
    74.2 KB · Views: 3,584
Top Bottom