What Is an ISMS and a Statement of Applicability in ISO 27001?
## The short answer
In ISO 27001, the **Information Security Management System (ISMS)** is the overarching framework of policies, processes, roles, and continual-improvement activities that an organisation uses to manage information security risk. The **Statement of Applicability (SoA)** is a single, central document that lists every control from the standard's reference set, states whether you apply it, and explains why or why not. The SoA is mandatory and is one of the first things an auditor will examine.
If you only learn two ISO 27001 terms, learn these two. The ISMS is the system; the SoA is its public ledger of decisions.
## What an ISMS actually is
An ISMS is not a piece of software and not a document — it is a *management system*, in the same sense as a quality management system. It is the set of coordinated activities by which leadership directs and controls information security. ISO 27001 requires the ISMS to include:
- **Context and scope** — what parts of the organisation, systems, and information the ISMS covers.
- **Leadership commitment** — top management owning the policy and providing resources.
- **Risk assessment and treatment** — a repeatable method for identifying, evaluating, and addressing information security risks.
- **Objectives and planning** — measurable security objectives and plans to meet them.
- **Operation** — running the controls day to day.
- **Performance evaluation** — monitoring, internal audit, and management review.
- **Improvement** — corrective actions and continual refinement.
The ISMS is deliberately risk-driven. ISO 27001 does not tell you to implement a fixed list of controls; it tells you to understand your risks and choose controls accordingly.
## The role of risk assessment
The ISMS revolves around risk. You define a method, identify risks to the confidentiality, integrity, and availability of information, evaluate them, and decide how to treat each one — typically by reducing, accepting, transferring, or avoiding the risk. The output of risk treatment feeds directly into the next document.
## What the Statement of Applicability does
The reference control set in ISO 27001 (set out in its Annex A and elaborated in the companion ISO 27002 guidance) contains a substantial list of controls spanning organisational, people, physical, and technological measures. The SoA is where you account for every one of them. For each control you record:
- Whether it is **applicable** to your organisation.
- The **justification** for including or excluding it.
- Its **implementation status**.
- A reference linking it to your risk treatment decisions.
Crucially, exclusions are allowed — but they must be justified. You cannot simply drop a control because it is inconvenient; you must explain why it does not apply to your scope and risk profile. This is what makes the SoA so revealing to an auditor: it shows whether your security decisions are deliberate and risk-based, or arbitrary.
## How the ISMS and SoA fit together
The flow runs like this:
1. Define the **scope** of the ISMS.
2. Run a **risk assessment** across that scope.
3. Decide **risk treatments**, selecting controls to address each significant risk.
4. Record those decisions in the **Statement of Applicability**.
5. Implement, operate, monitor, and improve the controls as part of the ongoing ISMS.
The SoA is therefore not a standalone checklist — it is the bridge between your risk assessment and your live controls. When risks change, your treatments change, and the SoA is updated to match.
## Common mistakes
- **Treating the SoA as a one-off** — it is a living document that must reflect your current control reality, not the state at first certification.
- **Copying a generic template** with every control marked "applicable" and no real justification — auditors see through this instantly.
- **Excluding controls without explaining why**, which undermines the credibility of the whole ISMS.
- **Confusing scope with the whole company** — a narrow, well-defined scope is often more defensible than an over-ambitious one.
## Keeping it alive
ISO 27001 places heavy emphasis on continual improvement. Your ISMS must show evidence of internal audits, management reviews, corrective actions, and updates to the risk assessment and SoA over time. A system that has not changed since certification is a red flag — real organisations and their risks evolve.
## Where tooling helps
Maintaining the link between risks, treatments, controls, and evidence is exactly where teams struggle as the organisation grows. Enterprise-grade compliance platforms — including those neart.ai builds — keep the SoA connected to live control evidence, so when a control's status changes the documentation does not silently fall out of date before your next surveillance audit.
## Takeaway
The ISMS is the engine of ISO 27001 and the Statement of Applicability is its logbook. Build a genuine, risk-driven management system, document every control decision honestly in the SoA, and keep both alive through regular review. Auditors are far more impressed by deliberate, justified choices than by a flawless-looking template no one maintains.