Statement of Applicability


ISO/IEC 27001 and ISO/IEC 27701


The link below provides a Microsoft Word document that contains one blank table, which you can complete to compile a Statement of Applicability for the ISO/IEC 27001 Annex A controls.


ISO/IEC 27001:2013, Annex A [Right-Click and select SAVE TARGET/LINK AS]


The link below provides a Microsoft Word document that contains three blank tables that you can complete to compile a Statement of Applicability for the following three sets of controls.


ISO/IEC 27001 Annex A
ISO/IEC 27701 Annex A for PII Controllers
ISO/IEC 27701 Annex B for PII Processors


ISO/IEC 27001:2013, Annex A and ISO/IEC 27701:2019, Annexes A and B [Right-Click and select SAVE TARGET/LINK AS]


The tables all have a right hand column titled Notes on Implementation to record information for a detailed Statement of Applicability, primarily intended for internal use. Delete this column (on each of the tables), to create a (concise) Statement of Applicability, which conforms to the minimum requirements of ISO/IEC 27001, and to be referenced on your ISO/IEC 27001 certificate.


ISO 37001


The link below provides a Microsoft Word document that contains one blank table, which you can complete to augment a Statement of Applicability for ISO/IEC 27001 (and ISO/IEC 27701) to also cover ISO 37001, 8.3 Financial Controls and 8.4 Non-Financial Controls, including ISO 37001, Annex A, A.11 Financial Controls and A.12 Non-Financial Controls.


ISO 37001:2016, Financial and Non-Financial Controls [Right-Click and select SAVE TARGET/LINK AS]


ISO 37001, 8.3 Financial Controls and 8.4 Non-Financial Controls simply stipulate that the organisation must implement these two types of controls. However, neither stipulate any specific requirements for the controls. ISO 37001, Annex A, A.11 Financial Controls and A.12 Non-Financial Controls provide considerable and useful guidance. However, you must decide which controls to apply, and how to implement them.

This is very similar to both ISO/IEC 27001 and ISO/IEC 27701, where you must select which controls to apply (from Annex A of ISO/IEC 27001 and Annexes A & B of ISO/IEC 27701), and to justify the inclusion or exclusion of each individual control, based upon your information security risk assessment (and privacy risk assessment).

The document contains a table that you can use to assist you to include or exclude the controls suggested in ISO 37001 Annex A, A.11 and A.12, and also to list any further additional controls you decide to apply.

Lastly, ISO 37001, 8.3 Financial Controls and 8.4 Non-Financial Controls refer to controls upon information. If you implement ISO 37001 together with ISO/IEC 27001 (and ISO/IEC 27701), this financial and non-financial information will probably fall within the scope of your implementation of ISO/IEC 27001. (This will depend upon the scope that you define for your implementation of ISO/IEC 27001.) If this financial and non-financial information does fall within the scope of your implementation of ISO/IEC 27001, you must include these financial and non-financial controls on your Statement of Applicability.