What is a Statement of Applicability?

Written by Ivar van Duuren

July 18, 2023

security island

A statement of applicability (SoA) is a document used to establish the relevance and degree of compliance with certain norms and standards within an organization. It is often prepared as part of certification processes, such as ISO certifications.

How does it differ from a conformity statement?

A conformity statement refers to compliance with specific legal or regulatory requirements. While a SoA focuses more on voluntary norms and standards.

For example, a conformity statement is issued by a manufacturer to demonstrate that its product meets all relevant safety and quality requirements.

But a SoA is used to demonstrate that an organization meets specific requirements regarding information security, environmental management, or quality management.

When is a statement of applicability needed?

A SoA is particularly relevant in situations where an organization seeks certification to certain norms and standards. It then functions as a tool to evaluate the organization’s current situation against the requirements of the standard. And to identify possible gaps in compliance.

Based on this evaluation, it is then easier to take action to meet all requirements.

Which organizations benefit from a statement of applicability?

A statement of applicability is particularly relevant to organizations seeking certification to specific norms and standards. These include both small and large companies, operating in different sectors, such as IT, healthcare, manufacturing, services, and other industries.

Establishing a SoA makes it easier to demonstrate to customers, partners, and other stakeholders that the organization meets specific standards. As such, it is a valuable tool for increasing confidence in the organization and creating new business opportunities.

In addition, a declaration of applicability helps identify and manage risks within the organization, making it better prepared for potential threats.

The relationship between a SoA and ISO 27001 certification

The SoA plays an essential role in achieving ISO 27001 certification. Creating and implementing a detailed statement of applicability enables organizations to demonstrate compliance with all relevant requirements of the ISO 27001 standard.

It also helps demonstrate that the ISMS is effective in identifying, assessing, and addressing information security risks.

During an ISO 27001 audit, a certifying agency thoroughly examines the organization’s compliance with all requirements of the standard. A well-presented and well-reasoned statement of applicability increases the chances of successful certification.

Also read: What are the benefits of ISMS software?

Tips on implementing a statement of applicability

Here are 10 tips to help you successfully implement a SoA.

1. Know the relevant norms and standards

Before you begin drafting a statement of applicability, it is essential to be familiar with the applicable norms and standards within your industry.

Consider ISO certifications, privacy regulations such as GDPR or AVG, and specific industry standards.

2. Determine the scope

A statement of applicability should clearly indicate which parts or processes are covered within your organization. Therefore, define the scope accurately before you start implementing.

3. Assemble a project team

Implementing a SoA is often a complex process that affects several departments and disciplines within your organization.

Therefore, put together a project team with representatives from all relevant domains to ensure that your team properly considers all aspects.

4. Map the current situation

Before making any changes, it is important to understand the current situation within your organization. Conduct a thorough audit to determine where improvements are needed and which processes already meet the set standards.

5. Identify risks and opportunities

A statement of applicability can also help identify risks and opportunities within your organization. Map these clearly and develop measures to control risks or exploit opportunities.

Also read: Tips on asset risk management through ISO 27001

6. Implement appropriate measures

After you have identified the risks and opportunities, it is time to implement appropriate measures. Make sure these measures are effective in achieving the set goals.

7. Communicate and train employees

To successfully implement the SoA, it is important to inform and train all employees on the changes. This increases staff awareness and commitment.

8. Monitor and measure performance

A statement of applicability is not a one-time action, but an ongoing process. Implement a system to monitor performance and regularly measure whether you are still meeting the set standards.

9. Ensure continuous improvement

Regularly evaluate whether there is room for improvement in your processes and measures. Strive for continuous improvement to meet all requirements as efficiently as possible.

10. Get certified

As a final step, consider getting your organization certified according to the applicable norms and standards in your statement of applicability. A certification helps build trust with customers and stakeholders.

Also read: ISO 27001 Certification: Step-By-Step Guide


A statement of applicability is a document that demonstrates that an organization complies with specific norms and standards. It differs from a conformity statement in that it focuses more on voluntary standards rather than legal requirements.

A SoA is especially relevant to organizations seeking certification and can help improve trust, risk management, and business opportunities.

Need help implementing ISO 27001 certification?

Need help taking steps to comply with ISO 27001 certification? ISOPlanner prevents financial and reputational damage by providing an approachable way to help organizations comply with increasingly complex laws and regulations. Start a free trial of our software or contact us, we are happy to help!

Related Articles

3 Expert Tips to Implement ISO Standards More Efficiently

3 Expert Tips to Implement ISO Standards More Efficiently

When you start implementing an ISO standard, you need to think about things you need to take care of, such as scheduling an internal and an external audit. If you develop software, you may need to do a pen test to check out vulnerabilities. In addition, you need to...

Information security with ISOPlanner: building on a solid foundation

Information security with ISOPlanner: building on a solid foundation

One piece of advice we sometimes hear when it comes to ISO certification is that every ISO implementation is customized. On the one hand, that's true, of course. Because every organization is different. So each organization itself has to look very carefully at exactly...

Sign Up For Our Newsletter

Join over 1.000 ISO professionals for the latest ISO insights