Practical, Cost Effective and award-winning

Business Continuity, Crisis Management & Information Security Solutions


0800 035 1231 (Mon to Fri 9am – 5pm)

Suite 3, The Cotton Mill, Torr Vale Mills, New Mills, Derbyshire, SK22 4HS, UK

Statement of Applicability (SoA)

Information Security ControlsThe Statement of Applicability (SoA) is the area that causes most consternation and yet, by following simple steps, this will be the guide to the control of your risks, and need not be a complicated nor onerous chore.


ISO 27001 lists a number of ‘Reference control objectives and controls’, each designed to identify risk treatments and controls around a number of specific areas.  There are 114 controls in 14 groups, such as human resource security, physical and environmental security, asset management and information security incident management.  It is worth noting that there is a degree of overlap in many instances, and the controls for one of the groups may equally provide control in another area.

You will need to decide which of these controls are required for your organisation, and give justification for their inclusion or exclusion.  There are a number of controls that would be difficult for any organisation to exclude such as information security incident management, information security continuity, human resource continuity or asset management.  For those areas that are outside your control, such as in the case where IT services may be outsourced, then the direct responsibility for the implementation lies with the supplier.  However, in these instances, the ownership of the risks will still lie with you and, therefore, the oversight of those controls will then come under A.15 Supplier relationships, which should then ensure that satisfactory controls are in place.

ISO 27001 and ISO 27002

The SoA is underpinned by ISO 27002, which gives detailed guidance as to considerations for each of the control objectives and controls; we would encourage anyone who is intending to work towards ISO 27001 certification to utilise the guidance in ISO 27002.


We can assist in the development of your risk assessment and risk treatment process, capturing this in your Statement of Applicability, ensuring that you understand the process so that you are able to take ownership.  Our documentation is straightforward and user-friendly, giving clarity and good oversight.


Get In Touch

We are always happy to answer any questions you may have, please either contact us by telephone, or by filling in the form below.

Please ensure that you do not divulge any sensitive data as this webpage is not secure.

I used Cambridge Risk Solutions to develop a Business Continuity Plan for Bio-Rad in the UK. I would highly recommend Cambridge Risk Solutions.

more testimonials

  • Business Continuity Planning

    Effective planning that takes into account risk evaluation and business impact analysis, supported by clear and concise crisis management. We work with you to develop user-friendly plans.

  • Business Impact Analysis

    The Business Impact Analysis (BIA) is one of the most important, and least well understood, stages of the Business Continuity Management Lifecycle; we can assist with your BIA.

  • Training and Exercising

    No Business Continuity Management programme is effective without a significant element of training. Moreover, ongoing Crisis Management training and exercising is key. We can provide objective training and exercising.

  • Risk Evaluation and Control

    Risk evaluation and treatment provide a process to identify, prioritise and managing your risks. Cambridge Risk Solutions can assist with risk management for business operational and information security risks.

  • Statement of Applicability

    Which controls do you need to have in place? How do you link your risk assessment process into your SoA? How do you ensure that you have effective controls in place? We can assist with your SoA.

  • Integrated Management Systems

    Management Systems assist with your on-going management, maintenance and continual improvement. We work with you to develop a fully integrated management system, enabling certification to ISO 22301 and ISO 27001.