What the Statement of Applicability is and why SMEs need it
If you are putting together an information security management system, the Statement of Applicability is one of the most important documents you will create. In simple terms, it is the record that shows which security controls your business has chosen to use, which ones it has chosen not to use, and why.
For a small or medium-sized business, that matters for three reasons. First, it helps you make sensible decisions about security spending. Second, it gives you a clear way to explain those decisions to staff, suppliers, customers, and assessors. Third, it stops your security work becoming a loose collection of policies that no one can easily follow.
Think of it as the bridge between risk and action. Your risk assessment tells you what could go wrong. The Statement of Applicability shows how you respond. That makes it a practical management document, not just paperwork.
It also helps you avoid a common problem: buying or writing controls because they sound impressive, rather than because they address a real business need. A good Statement of Applicability keeps the focus on what matters to your organisation.
What first-time implementers should include
You do not need to make this document complicated. For each control you consider, record the basics clearly and consistently.
- The control name or reference used in your chosen framework
- Whether the control is included or excluded
- A short reason for that decision
- Who owns the control in the business
- Where the supporting evidence lives
That is usually enough for a first version. The aim is not to write a long essay for every item. The aim is to show that the decision was deliberate and linked to business risk.
If a control is included, note how it is implemented in plain language. For example, instead of writing a technical description, you might say that access to customer records is limited to named staff, with manager approval for changes. That is easier for leaders to understand and easier to keep up to date.
If a control is excluded, be honest and specific. A weak statement such as “not relevant” is rarely helpful. A better explanation would be that the business does not operate a particular type of system, or that the risk is handled in another way. The key is to show that the decision was considered, not accidental.
Ownership is often overlooked, but it is essential. If no one is responsible for a control, it tends to drift. Assigning an owner helps you keep the document alive and makes reviews much easier.
How to build it from your risk assessment
The best way to build the Statement of Applicability is to start with your risk assessment, not with a blank template. That keeps the document grounded in real business concerns.
Begin by listing the main risks to your organisation. These might include unauthorised access to data, loss of laptops, supplier failure, phishing emails, or service outages. Then decide which controls reduce each risk in a sensible way.
For example, if one of your risks is staff using weak passwords or sharing accounts, you may decide to include controls around user access management, password rules, and account review. If your business relies heavily on a cloud service, you may include supplier assurance and backup arrangements. If you hold sensitive customer information, encryption and access restrictions may be important.
This is where many first-time implementers go wrong. They copy a generic template and tick every box, or they leave out controls because they seem difficult. Both approaches create problems later. A copied template often includes controls that do not fit the business. A thin or incomplete document can leave gaps between what you say and what you actually do.
A better approach is to ask three questions for each control:
- What risk does this control address?
- Do we actually need it in our business?
- If we are not using it, what is our reason?
If you can answer those questions clearly, your Statement of Applicability will usually be in good shape.
It also helps to keep the language consistent with the rest of your information security management system. If your policies say one thing and your Statement of Applicability says another, staff will notice the confusion. Consistency is more valuable than clever wording.
How to keep it useful as your business changes
The Statement of Applicability should not sit in a folder and gather dust. It needs to reflect how the business actually operates.
Review it when something meaningful changes, such as:
- You introduce a new system or platform
- You change a supplier that handles important data
- You move offices or shift to more remote working
- You suffer an incident that reveals a weakness
- You change how staff or contractors access information
Regular review is important too. Many SMEs find it sensible to check the document at least annually, and sooner if there has been a significant change. The exact timing should fit the pace of your business.
To keep it practical, link the Statement of Applicability to the things you already manage. If a control is included, make sure there is a policy, procedure, or working practice that supports it. If the control is not in place, make sure the reason still makes sense. If the business has changed, the old reason may no longer be valid.
Evidence matters here as well. You do not need a mountain of documents, but you do need enough to show that the control is real. That may include training records, access reviews, backup reports, supplier checks, or meeting notes. Keep the evidence easy to find. If the person maintaining the system cannot locate it quickly, the document is less useful.
It is also worth making the document understandable to non-specialists. Directors, managers, and team leaders may need to use it when making decisions. If it is full of technical detail, it becomes harder to maintain and less likely to be read.
Common mistakes SMEs make with the Statement of Applicability
One of the most common mistakes is overstating controls that are not actually in place. This can happen when a business wants to present itself as more mature than it is. The problem is that the document then stops reflecting reality. If a control is listed as active, people will assume it is being done. If it is not, you create confusion and unnecessary risk.
Another mistake is making the document too technical. The Statement of Applicability should support decision-making, not impress people with jargon. If only one person in the business can understand it, that is a weakness. Keep the wording simple enough that a manager can read it and know what is expected.
Some SMEs also treat it as a one-off exercise. They write it once, then forget about it. That usually leads to drift. Security controls change, suppliers change, and business priorities change. A living document is far more useful than a perfect document that is out of date.
Finally, some businesses separate the Statement of Applicability from day-to-day practice. If the document says a control exists but staff do something different, the gap will show up sooner or later. The aim is alignment between the written record and the way the business actually works.
A practical checklist for first-time implementers
Before you sign off the document, ask yourself these questions:
- Have we linked each included control to a real business risk?
- Have we explained exclusions in plain English?
- Does each control have an owner?
- Can we find evidence that the control is operating?
- Does the document match our policies and procedures?
- Would a manager who is not technical understand the main decisions?
It can also help to use a short review routine:
- Check for new systems, suppliers, or ways of working
- Confirm that included controls still reflect current practice
- Remove or update anything that no longer applies
- Make sure action owners know what they are responsible for
- Record the date of the last review and the next planned review
If you keep this routine simple, it is much easier to maintain. The goal is not to create more administration. The goal is to make security decisions visible, sensible, and easy to revisit.
For many UK SMEs, the real value of the Statement of Applicability is that it turns an abstract security framework into something practical. It helps you show what you have chosen to do, what you have chosen not to do, and why those choices make business sense.
If you are starting from scratch, or if your current version feels too technical or too thin, it may be worth getting a second opinion before you rely on it. A short review can often save time later by spotting gaps, unclear wording, or controls that do not match the way the business actually operates.
Used well, the Statement of Applicability becomes more than a compliance document. It becomes a working tool for managing risk, keeping people aligned, and making sure your information security efforts stay relevant as the business grows.
Frequently asked questions
Do we need to include every ISO 27001 control in the Statement of Applicability?
You should consider every relevant control in the framework you are using, but you do not need to say yes to all of them. Some will be included, some may be excluded, and each decision should have a clear reason linked to your business risk and operating model.
How often should an SME review the Statement of Applicability?
At least once a year is a sensible starting point for many SMEs, but you should also review it after major changes such as new systems, new suppliers, office moves, or security incidents. The right timing depends on how quickly your business changes.
What is the biggest mistake first-time implementers make?
Usually it is treating the document as a template to complete rather than a record of real decisions. If it does not reflect how the business actually works, it will not help you manage risk properly.
Who should own the Statement of Applicability?
It should have a named owner who can keep it current, coordinate updates, and make sure it stays aligned with the rest of the information security management system. In a small business, that is often a manager or the person leading the security programme.
Can we keep it simple?
Yes. Simple is usually better, as long as the decisions are clear, the reasons are sensible, and the document matches reality. A concise, well-maintained version is far more useful than a long one that nobody uses.
Need help making your Statement of Applicability practical and easy to maintain? Speak to a consultant.


Comments are closed