After completing your risk assessment, you must decide which security controls will protect your business. This is documented in the ISO 27001 Statement of Applicability (SoA). For UK small businesses, the SoA is the most important document in the ISMS because it explicitly states which of the 93 Annex A controls you have implemented and, crucially, which ones you have excluded.
Why the ISO 27001 Statement of Applicability Matters
The SoA acts as a bridge between your high-level risk treatment and your actual technical environment. According to Clause 6.1.3, your ISO 27001 Statement of Applicability must:
-
Identify the necessary controls to mitigate your specific risks.
-
Verify these against the controls found in Annex A.
-
Justify any exclusions (e.g., if you don’t develop software, you exclude “Secure Coding”).
At DigiUK, we help small businesses draft this document in a professional manner. Our consultancy ensures you don’t over-complicate your SoA, allowing you to get certified cheaper by focusing only on the rules that actually apply to your Manchester or UK-based operations.
Mapping Annex A Controls to Real-World Security
The 2022 update of the standard consolidated Annex A into four clear themes: Organizational, People, Physical, and Technological. When filling out your ISO 27001 Statement of Applicability, you must prove that each selected control is actually functioning.
Validating Your SoA with Technical Testing
A major mistake many implementors make is assuming a control is “in place” just because there is a written policy. This is where technical validation becomes vital.
While the SoA provides the framework, our DCCP Course focuses on the “hands-on” side of the coin. We teach Penetration Testing and advanced Cybersecurity skills that allow you to stress-test the very controls listed in your ISO 27001 Statement of Applicability. If your SoA claims you have robust “Access Control,” our technical training teaches you how to verify that claim like a professional hacker.
Common Pitfalls in ISO 27001 SoA Documentation
-
Generic Justifications: “Not applicable” is not enough; you must explain why.
-
Ignoring Annex A Updates: Ensure you are using the 2022 control set, not the older 2013 version.
-
Lack of Evidence: If it isn’t documented or testable, the auditor will mark it as a non-conformity.
Conclusion: Preparing for the ISO 27001 Audit
Your ISO 27001 Statement of Applicability is a living document. It should evolve as your UK small business grows and new technical threats emerge.
For the official list of Annex A control categories, you can review the ISO/IEC 27001:2022 Standard. If you need a professional, affordable partner to help you map these rules and secure your network, DigiUK is ready to get you audit-ready.