Statement of Applicability (SoA)

The Statement of Applicability (SoA), is a document that identifies an organization's information security control or quality standard objectives, its future security controls or quality controls, and which security controls or quality standards are not applicable or relevant. The Statement of Applicability also includes an explanation of how and why such controls are appropriate. The SoA is derived from performing a risk assessment and developing a risk treatment plan.

The Statement of Applicability should reference policies, procedures and other documentation and implemented systems through which controls will manifest.

It is important to utilize the SoA to provide justifications as to why specific controls were excluded from the risk treatment plan.

The Statement of Applicability is a vital document in the certification process. The SoA shows all of the controls in question, provides the status of the control as well as any associated justification for the controls. The Statement of Applicability is a single document that provides required information for certification, by showing all of the controls, status and justification. This streamlines the process by having this information contained in one, as opposed to having multiple documents for each control, its status and justification. 

Risk Management Software - RM Studio and the Statement of Applicability

RM Studio is equipped with click of the button reporting functionality. Included in this function is the Statement of Applicability report. For more information on RM Studio check out the Risk Management Software page and the Benefits and Features of RM Studio page.