Statement of Applicability
ISO/IEC 27001 and ISO/IEC 27701
The link below provides a Microsoft Word document that contains one blank table, which you can complete to compile a Statement of Applicability for the ISO/IEC 27001 Annex A controls.
ISO/IEC 27001:2013, Annex A [Right-
ISO/IEC 27001:2022, Annex A [Right-
The link below provides a Microsoft Word document that contains two blank tables that you can complete to compile a Statement of Applicability for the following two sets of controls.
ISO/IEC 27701 Annex A for PII Controllers
ISO/IEC 27701 Annex B for PII Processors
ISO/IEC 27701:2019, Annexes A and B [Right-
The tables all have a right hand column titled Notes on Implementation to record information for a detailed Statement of Applicability, primarily intended for internal use. Delete this column (on each of the tables), to create a (concise) Statement of Applicability, which conforms to the minimum requirements of ISO/IEC 27001, and to be referenced on your ISO/IEC 27001 certificate.
ISO 37001
The link below provides a Microsoft Word document that contains one blank table,
which you can complete to augment a Statement of Applicability for ISO/IEC 27001
(and ISO/IEC 27701) to also cover ISO 37001, 8.3 Financial Controls and 8.4 Non-
ISO 37001:2016, Financial and Non-
ISO 37001, 8.3 Financial Controls and 8.4 Non-
This is very similar to both ISO/IEC 27001 and ISO/IEC 27701, where you must select which controls to apply (from Annex A of ISO/IEC 27001 and Annexes A & B of ISO/IEC 27701), and to justify the inclusion or exclusion of each individual control, based upon your information security risk assessment (and privacy risk assessment).
The document contains a table that you can use to assist you to include or exclude the controls suggested in ISO 37001 Annex A, A.11 and A.12, and also to list any further additional controls you decide to apply.
Lastly, ISO 37001, 8.3 Financial Controls and 8.4 Non-