Cambridge Risk Solutions

Statement of Applicability ISO 27001

The Statement of Applicability ISO 27001 is the area that causes most consternation and yet, by following simple steps, this will be the guide to the control of your risks, and need not be a complicated nor onerous chore.

ISO 27001 lists a number of ‘Reference control objectives and controls’, each designed to identify risk treatments and controls around a number of specific areas.

Information security controls diagram


There are 93 controls, separated into four groups: Organisational, People, Physical and Technological. The controls can additionally be viewed using ‘attributes’:

  • Control type
  • Information security properties
  • Cybersecurity concepts
  • Operational capabilities
  • Security domains

It is worth noting that there is a degree of overlap in many instances, and the controls for one of the groups may equally provide control in another area.

You will need to decide which of these controls are required for your organisation, and give justification for their inclusion or exclusion.

There are a number of controls that would be difficult for any organisation to exclude such as policies for information security, response to information security incidents or information security awareness, education or training.

For those areas that are outside your control, such as in the case where IT services may be outsourced, then the direct responsibility for the implementation lies with the supplier. However, in these instances, the ownership of the risks will still lie with you and, therefore, the oversight of those controls will then come under 5.21 Managing information security in the information and communication technology (ICT) supply chain and 5.22 Monitoring, review and change management of supplier services.

ISO 27001 and ISO 27002

The Statement of Applicability ISO 27001 is underpinned by ISO 27002, which gives detailed guidance for each of the control objectives and controls; we would encourage anyone who is intending to work towards ISO 27001 certification to utilise the guidance in ISO 27002.


We can assist in the development of your risk assessment and risk treatment process, capturing this in your Statement of Applicability, ensuring that you understand the process so that you are able to take ownership.

Our documentation is straightforward and user-friendly, giving clarity and good oversight.

We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.

How Can Cambridge Risk Solutions Help?

Cambridge Risk Solutions provides a range of services to assist with the implementation of Information Security, and have an experienced ISO 27001 Lead Auditor who can assist with readiness for certification to ISO 27001:2022

View some case studies of recent Information Security and ISO 27001 projects.

Scroll to Top
Scroll to Top