Statement of Applicability (SoA)

A Statement of Applicability (SoA) is a controlled document that lists the specific controls an organization has selected to implement within a management system, along with their implementation status and justification for inclusion or exclusion. In regulated industrial and manufacturing environments, SoAs are most commonly associated with information security and cybersecurity management systems, but the concept is also applied to other control-based frameworks.

Key characteristics

A Statement of Applicability typically:

• References a defined control catalogue or standard (for example, an information security, cybersecurity, or risk-management framework).
• Identifies which controls are applicable, implemented, partially implemented, or not applicable.
• Provides a justification for including or excluding each control, based on risk, scope, and regulatory obligations.
• Describes how applicable controls are implemented at a high level, often pointing to detailed procedures, technical configurations, or work instructions.
• Is maintained as a living document, updated when scope, risk posture, or controls change.

In manufacturing, the SoA may cover controls affecting OT networks, MES and ERP integrations, production data, quality records, and other systems that support regulated operations.

Operational use in industrial and regulated environments

Within plants and multi-site operations, a Statement of Applicability is commonly used to:

• Define which security or risk controls apply to specific facilities, production lines, or systems (for example, OT zones or MES environments).
• Support audits by providing a single reference that links applicable controls to evidence sources such as SOPs, configuration baselines, and log records.
• Demonstrate how corporate policies are translated into concrete controls at the shop-floor and system level.
• Align IT, OT, and quality teams around a shared view of control requirements and current implementation status.

Scope and boundaries

The Statement of Applicability:

• Includes the list of candidate controls from the chosen framework, applicability decisions, implementation status, and justifications.
• May reference detailed procedures, work instructions, or technical standards but does not replace them.
• Does not itself define how to perform each control activity in operational detail; that is typically handled in separate documents.

Common confusion

• SoA vs. Policy: A policy sets principles and intent, while the SoA documents which specific controls are selected and how they apply.
• SoA vs. Risk Register: A risk register records risks, causes, and treatments. The SoA records the status of controls that may mitigate those risks.
• SoA vs. Audit Report: An audit report evaluates effectiveness and compliance. The SoA is a structured inventory of controls and applicability, used as input for audits.

Use across disciplines

The term “Statement of Applicability” is most strongly associated with information security management systems, but similar documents are used in other management system standards that rely on a defined set of controls. In manufacturing, organizations may adapt the SoA concept to encompass controls for cybersecurity, data integrity, quality records handling, and other regulated operational processes.