Statement of Applicability

A Statement of Applicability (SoA) is a formal document that lists the information security controls an organization has selected, and those it has excluded, along with justification for each decision. It is most commonly associated with ISO/IEC 27001 and its Annex A controls.

For regulated industrial and manufacturing environments, the Statement of Applicability connects the organization’s information security risk assessment to concrete control decisions affecting OT systems, production IT, MES/ERP integrations, laboratories, and quality systems.

Key characteristics

A Statement of Applicability commonly includes:

• A complete list of candidate controls (often based on ISO/IEC 27001 Annex A or a similar control set).
• An indication for each control whether it is applicable or not applicable to the organization or defined scope.
• Justification for including each applicable control (for example, based on identified risks, legal or regulatory obligations, or contractual requirements).
• Justification for excluding each non-applicable control (for example, risk not relevant, out of scope, or addressed by alternative mechanisms).
• A reference to how applicable controls are implemented, such as related procedures, technical measures, or system configurations.

In practice, the SoA serves as a bridge between a risk assessment and the implemented information security management system (ISMS). It documents why certain protections are in place for production networks, data historians, batch records, supplier connectivity, and other manufacturing assets, and why some controls are not used.

Operational use in industrial and manufacturing settings

Within manufacturing organizations, the Statement of Applicability is typically used to:

• Clarify which ISO/IEC 27001 controls apply to production sites, corporate IT, and shared OT/IT infrastructure.
• Show how controls are allocated across systems such as MES, ERP, LIMS, QMS, and plant-floor networks.
• Support internal and external audits by providing a structured reference to applicable controls and evidence sources.
• Align information security with safety, quality, and regulatory requirements that affect electronic records, equipment, and data flows.

The SoA is usually maintained as a controlled document and updated when there are changes to scope, technology, significant risks, or relevant standards.

Common confusion

• Not a risk assessment: The Statement of Applicability does not replace a risk assessment. It records control decisions that are informed by the risk assessment.
• Not just a control checklist: It is more than a simple list; it must include rationale for including or excluding each control in the defined scope.
• Not limited to four categories: Training or simplified models may group controls into a small number of categories, but the SoA should be based on the actual control set in use (such as ISO/IEC 27001 Annex A), not on informal groupings.

Relationship to ISO/IEC 27001

In ISO/IEC 27001 implementations, the Statement of Applicability is a required document within the ISMS. It identifies which Annex A controls are applicable to the defined scope and explains their status. For manufacturers operating in regulated sectors, the SoA is often a key reference for demonstrating how information security controls have been selected to support compliance, traceability, and protection of production and quality data.