ISO 27001 • Statement of Applicability • SaaS Providers

The Statement of Applicability (SoA): Bringing ISO 27001 Controls to Life for SaaS Providers

Turning Compliance Into a Blueprint for Trust

For SaaS companies, every line of code and every cloud configuration can influence your clients’ security. Achieving ISO 27001 certification is about more than policies it’s about showing that your security controls are intentional, implemented, and effective.

That’s exactly what the Statement of Applicability (SoA) does.

The SoA is the beating heart of an ISO 27001 Information Security Management System (ISMS). It maps every Annex A control all 93 of them to your real-world operations, showing what applies, what doesn’t, and why.

At Canadian Cyber, our SoA Template (CC-ISMS-006) helps SaaS providers document, justify, and maintain their control environment providing a single, auditable link between your risk register, risk treatment plan, and security evidence.

Why the SoA Matters for SaaS Companies

The SoA isn’t just paperwork it’s your company’s security backbone.

  • Every ISO 27001 control is evaluated and mapped to business context
  • Cloud responsibilities (AWS, Azure, GCP) are clearly defined
  • Risks, evidence, and policies are traceable in one place
  • Auditors see exactly how your ISMS protects customer data

In essence, the SoA shows you’re not just compliant — you’re in control.

Building the SoA Using the CC-ISMS-006 Template

The Canadian Cyber Statement of Applicability Template aligns with ISO/IEC 27001:2022 Clause 6.1.3 (d) and the 2022 Annex A controls.

It walks SaaS providers through:

  1. Listing all 93 Annex A controls.
  2. Marking each as applicable or not applicable, with justification.
  3. Mapping each to the Risk Treatment Plan.
  4. Recording implementation status and evidence location.
  5. Maintaining ownership, versioning, and review logs.
📄 Sample Statement of Applicability

🧾 Sample Statement of Applicability (SoA)

(Based on the Canadian Cyber CC-ISMS-006 Template)

Note: The following example uses a fictitious company, CloudNova Software Inc., created for demonstration purposes.
Field Details
Document Title Statement of Applicability
Document Number CN-ISMS-006
Version 2.0
Date October 2025
Company CloudNova Software Inc.
Classification Confidential

1. Purpose

This document identifies all ISO 27001:2022 Annex A controls relevant to CloudNova’s ISMS, indicating applicability, implementation status, and supporting evidence. It ensures the company’s controls align with the Risk Treatment Plan and satisfy certification requirements.

2. Scope

Applies to all CloudNova Software operations involved in developing, deploying, and maintaining its SaaS platform, including:

  • Product engineering and DevOps teams
  • Cloud operations (AWS and Azure)
  • Security Monitoring and Incident Response
  • Corporate IT, HR, Legal, and Procurement

3. References

  • ISO/IEC 27001:2022 and 27002:2022
  • CC-ISMS-001 – ISMS Scope
  • CC-ISMS-002 – Information Security Policy
  • CC-ISMS-003 – Risk Assessment Methodology
  • CC-ISMS-004 – Risk Register & Treatment Plan
  • CC-ISMS-005 – Risk Treatment Process & Plan
  • CC-ISMS-008 – Internal Audit Program & Reports

4. Roles & Responsibilities

Role Responsibility
CEO (Laura Kim) Approves SoA and ensures alignment with business goals.
ISMS Manager (David Singh) Maintains SoA, updates control mappings, and coordinates reviews.
CTO (Sarah Nguyen) Owns technical controls and verifies implementation.
Department Leads Provide evidence and track control effectiveness.
Internal Auditor Validates status and recommends improvements annually.

5. Procedure Summary

  1. Identify information security risks based on Risk Register (CC-ISMS-004).
  2. Select relevant Annex A controls to treat identified risks.
  3. Mark each control as “Applicable” or “Not Applicable,” with justification.
  4. Record evidence of implementation (e.g., policies, system configs, reports).
  5. Obtain management approval and publish controlled version.
  6. Update the SoA after significant changes or audit findings.

6. Sample Control Entries

Control ID Description Applicability Justification Implementation Evidence
A.5.1 Policies for Information Security Applicable Core requirement to guide staff in secure software development and operations. Implemented Information Security Policy v3.0; Employee acknowledgment records.
A.5.23 Information Security for Use of Cloud Services Applicable All SaaS services hosted in AWS and Azure. Implemented Cloud Security Policy; Shared-Responsibility Matrix; SOC 2 certificates from providers.
A.8.7 Protection Against Malware Applicable Endpoints and build servers require EDR protection. Implemented EDR Dashboard reports; Incident Response Logs.
A.8.28 Secure Coding Practices Applicable Software development core to service delivery. Implemented Secure Development Policy; Static Code Analysis Reports; Developer Training Logs.
A.5.34 Privacy and Protection of PII Applicable Platform handles customer user data and analytics. Implemented Privacy Policy; Data Protection Impact Assessment; Encryption standards.

7. Review and Continuous Improvement

CloudNova Software reviews its SoA annually or after any major change in services, platform architecture, or compliance requirements. Each control’s status is verified through internal audits and updated in the ISMS records repository.

8. Record Retention and Evidence Management

The approved SoA and its supporting records are retained for 6 years in CloudNova’s ISMS SharePoint repository. Evidence includes audit reports, control checklists, and signed approvals.

📄 End of Sample Record

Why This Example Works

  • Every control decision is documented and justified.
  • Cloud and application controls reflect shared responsibility.
  • Risk management and evidence are interconnected.
  • Auditors can trace security objectives directly to controls.

How Canadian Cyber Helps SaaS Companies Build Their SoA

At Canadian Cyber, we simplify ISO 27001 for modern SaaS providers by translating complex Annex A controls into clear, manageable documentation.

  • Statement of Applicability Template (CC-ISMS-006) customized for SaaS environments.
  • Control Mapping Workshops linking risk registers to Annex A.
  • Evidence and Audit Preparation Support.
  • Virtual CISO (vCISO) oversight and compliance tracking.
  • Pre-Certification and Surveillance Audit Readiness.

We don’t just help you check boxes we help you prove control.

Ready to Build Your ISO 27001-Compliant Statement of Applicability?

Your clients trust you with their data now show them how you protect it. Let Canadian Cyber help you build and manage your SoA with clarity and confidence.

Book a Free Consultation

Connect with Us:

Canadian Cyber Helping SaaS Companies Document, Defend, and Deliver ISO 27001 Compliance with Confidence.