The Statement of Applicability
ISO/IEC 27001:2013 and your SoA The journey that sees an organisation gaining its Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) must include the creation of a statement of the applicable controls (or measures) used within the scope of the ISMS. The Statement of Applicability (SoA) is a mandatory requirement, and is a 'statement' of the controls (or measures) you have implemented in response to the options you have selected to treat a particular risk. The simple diagram above (and yes it is simple) shows that the SoA is an 'output' document! I am going to say that the following is all theory, but only because it causes so much angst. Having identified within the scope of your ISMS the source; the cause; the event; and consequence of a risk, and found through analysis and evaluation that it is unacceptable, the business makes the decision to 'treat' the risk in some fashion....