Simplifying the Statement of Applicability

24 Jul, 2019

The Statement of Applicability… just reading those words will get many people’s heads in a spin! As many find this document daunting, we’d like to try and simplify it for you.

What is the Statement of Applicability?

The Statement of Applicability is a document that details which controls you have in place to manage the risks to the security of your businesses confidential or sensitive information.  It is the one document that contains every element you employ to achieve this and is therefore the most important document in your compliance.

The guidelines for the controls you choose are set out in ISO 27002, the code of practice for ISO 27001.  This sub-standard provides detailed information on each control, how it works and how to implement it.

In simpler terms, the Statement of Applicability is a detailed Risk Assessment.  It should document any additional controls to your information security and your reasons for their selection as well as any that have been excluded and your justification for doing so.

Why is it useful?

The Information Security management system focuses on continual improvement and the Statement of Applicability will help you achieve this.

It will help you to understand how and why you are managing risks and will ensure all necessary controls have been captured and provide guidance to any additional controls that you might not have considered.  It will allow you to review whether a control is effective and if there are any more suitable options available to you.

This document should be the main focal point for your internal audit and will be used by your Assessor at your audit.

 Completing the Statement of Applicability

Now this is the daunting part!

Whilst the initial completion of this document can feel a little overwhelming, do not be put off by its size and seemingly complexity.  Once completed, it will be subject of an annual review but shouldn’t require any major reconstruction unless your business changes substantially.  With perseverance, you will greatly increase your personal development, make a major contribution to information security compliance and conformity and perhaps save your organisation thousands of pounds.

We do provide a template for you to use which can be found in the ‘Forms and Templates’ section of the Client Area.  This document should reflect your own management system and the applicable controls required to manage your information assets.

Our top tips for completing the Statement of Applicability include:

  1. When completing this document for the first time we suggest doing so in ‘bite sized chunks’, drawing on the knowledge of personnel in relevant areas of the business i.e HR, IT and IT support provider and senior management.
  2. It may be beneficial to have a copy of ISO 27002 whilst completing the Statement of Applicability.
  3. The group of documents within the risk assessment process include: inventory of information assets, risk assessment of those assets, statement of applicability and the risk treatment plan. These documents should not be viewed in isolation but as interrelated documents.

Shaw Healthcare Group Limited have completed the Statement of Applicability well, Jasmine Bird comments “The Statement of applicability was really informative in relation to the justification for each area and key in really understanding where you are as a business.

Rather than tackling this on my own, I completed this alongside key colleagues, each of us were able to answer our respective areas. It was instrumental in constructing the Information Security Management Policy to ensure all areas were included and is a great tool for Management Review Meetings to identify areas for improvement and opportunity”.

If you do require any assistance with completing your Statement of Applicability, please do get in touch with our office on 0330 058 5551 where we can arrange for additional support.

ISO Quality Services Ltd are proud to specialise in the implementation and certification of the Internationally recognised ISO and BS EN Management Standards.

Do you want to get ahead of your competition? Win more tenders or save time and money on reoccurring issues? Contact us today on 0330 058 5551 or email

Alternatively, you can request a quote by filling out our enquiry form and a member of our team will be in touch shortly.

News Archive

  • News Archive

Featured News

Related Posts

Charity Golf Day a Swinging Success Despite COVID-19

15 Sep, 2020

Last Friday, our first ever socially distanced Golf Day took place. Our Annual Charity Golf Day usually means a warm summer’s day of socialising freely, some friendly competition and an evening meal. However, this year was evidently different, so we had to get our heads together and do some thinking.

It’s Never Too Late to Plan Ahead

24 Aug, 2020

The last few months have been challenging for us all and now is the time to ask ourselves, ‘what can we learn from this experience and how do we future proof our business going forward?’.

Linden Care Homes Company Logo

Client News: Protecting Residents from COVID-19

5 Aug, 2020

Linden Care Homes closed their doors on 13th March to protect their residents from coronavirus.  With just one confirmed case and overall infection rates down, they are now looking to welcome family members back.

Lessons Learnt

What has humanity learnt from the Corona Virus?

16 Jul, 2020

About 4 months ago, the UK was struck with the consequences of the Coronavirus. Everything went into lockdown. For a few weeks, the streets that used to be bustling with shoppers and site seers were like a ghost town. We, as a nation, had to change. It’s not over yet, but as we’re starting to see some life after isolation, perhaps it’s time to ask the question; have we learnt anything from the experience?