.webp)
What is a Statement of Applicability in ISO 27001?
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
Heading 1
Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Lorem ipsum by sit amet, consectetur adipiscing elit, sed do eusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Dis aute irure door in reprehenderit in voluptate velit se cillum dolore eu fugiat nulla pariatur.
Block quote
Ordered list
- Item 1
- Item 2
- Item 3
Unordered list
- Item A
- Item B
- Item C
Bold text
Emphasis
Superscript
Subscript
What is a Statement of Applicability (VvT or SoA)?
The Statement of Applicability, called Statement of Applicability (SoA) in English, is a mandatory document within ISO 27001, which specifies which security measures (controls) in Annex A of ISO 27001 do or do not apply to your organization, and why.
The document includes:
- A list of all 93 measures in Annex A (version 2022)
- For each measure, an explanation of whether this:
- Applicable or not applicable
- Why that choice was made
- Possible references to policy documents, risks or technical measures
👉 So it is not a filling in exercise, but a thoughtful substantiation of how your organization deals with information security.
Why is the VvT (SoA) so important?
The VvT is one of the most important documents in your Information Security Management System (ISMS). Here are the main reasons why:
1. It is a mandatory document for certification
Without a current and substantiated VvT, you cannot be certified according to ISO 27001.
2. You can be certified against only one measure
ISO 27001 does not require you to apply all 93 measures. You can (in theory) even certify against only one measure, as long as you substantiate this properly in the VvT. That's exactly why customers often want to see your VvT: to assess how mature your ISMS is.
3. Customers and suppliers are asking for it
More and more organizations are asking the VvT to estimate how much your organization has implemented measures. This is particularly important in the chain: suppliers who work with sensitive data must be able to demonstrate that they are taking appropriate security measures.
Tip: You should also ask for the VvT of your suppliers yourself when working with confidential information. It provides immediate insight into their security level.
What does a good Statement of Applicability look like
A VvT usually follows a fixed tabular format and must contain the following components:
- The necessary control measures (fully written out);
- A justification for including it;
- The information whether the necessary control measures have been implemented or not;
- The justification for excluding control measures from Annex A.
Below is a simple example (for a few measures):
Note: a good VvT is dynamic. The document grows with your organization, your risk assessment and technological developments.
Common mistakes at the VvT
❌ Only check off without substantiation
❌ Do not update new risks or measures
❌ No documentation or proof of implementation
❌ No attention to the “reason for non-application”
Summarized
The Statement of Applicability is much more than a checklist: it's the heart of your certification. Customers, suppliers and auditors use it to assess whether you really have control over risks and take appropriate measures.
💡 Do you want to be well prepared for questions from customers or suppliers? Then start with a clear and well-founded VvT.
