The statement of applicability is the connection between risk assessment and risk treatment in an organization and is a requirement for information security management system (ISMS) implementations. The Statement of Applicability (SoA) is a fundamental component of an organization’s Information Security Management System (ISMS)and a critical document in achieving ISO 27001 certification.

Getting Started 

  • Vanta allows you to upload your own version or use a prebuilt template. Start by focusing on the Justification for Control Inclusion column. You will likely include almost all of these controls so you will identify the purpose of the control. The key at the top of the page should provide some guidance regarding the controls.



  • Tip: Many of these are security best practices and help mitigate risks within your company. If you have any contractual obligations, you can note that. Additionally, if you are pursuing additional standards to ISO27001, they will be regulatory controls (for example, this could be anything GDPR related).
  • In the implementation overview column, you should fill in one of the following: implemented, excluded, in-process, or not started based on the status of these controls and the related tests in Vanta (I will explain below). Ultimately, all controls will be implemented or excluded when you are audit-ready. 
  • If a specific control is excluded, it is likely because you are passing the responsibility and risk to a third party. For example, regarding physical security controls, your cloud provider is almost certainly managing physical security risks. 
    • Here is a link to a helpful article from our Principal of Cybersecurity about the ISO audit, Section 5 outlines some controls that may not be relevant for your business. 
  • Many of these controls can seem vague. You can rely on the Compliance Page starting at Annex A 5 to see what tests are included in each control's implementation, to get a better understanding of the corresponding tests that map to the control, and determine the status.