ISO 27001 • Statement of Applicability • Managed Service Providers
Building a Strong ISO 27001 Framework: The Statement of Applicability (SoA) for MSPs
Why MSPs Need a Statement of Applicability
For Managed Service Providers (MSPs), information security isn’t just about securing client data it’s about demonstrating accountability and compliance. The Statement of Applicability (SoA) is one of the most powerful tools within an ISO 27001 Information Security Management System (ISMS).
This document serves as a comprehensive inventory of all 93 ISO 27001:2022 Annex A controls, indicating which ones apply to your organization, their implementation status, and the rationale behind each decision. It’s not merely a checkbox exercise it’s proof that your MSP’s information security program is systematic, risk-based, and auditable.
The SoA shows clients and auditors that your MSP knows what controls exist, why they are in place (or excluded), and how they align with your operational and technical environment.
Understanding the Statement of Applicability
In ISO 27001, Clause 6.1.3(d) requires every organization to maintain an SoA that:
- Lists all applicable Annex A controls
- Justifies exclusions, if any
- Indicates implementation status
- References evidence supporting control effectiveness
This allows auditors and more importantly, your clients to trace how you manage risks, comply with laws and contracts, and protect sensitive information throughout your managed services lifecycle.
Sample Statement of Applicability: Fictitious MSP Example
(Based on the Canadian Cyber CC-ISMS-006 Template)
| Field | Details |
|---|---|
| Document Title | Statement of Applicability (SoA) |
| Document Number | MS-ISMS-006 |
| Version | 2.0 |
| Date of Issue | October 2025 |
| Owner | ISMS Manager |
| Classification | Confidential |
1. Purpose
The purpose of this Statement of Applicability is to identify all ISO 27001:2022 Annex A controls relevant to MapleSecure MSP Inc. and confirm their applicability and implementation. This ensures complete alignment between our risk treatment plan and implemented security controls.
2. Scope
This SoA applies to all managed IT and cybersecurity services provided by MapleSecure MSP Inc., including remote monitoring, endpoint management, cloud hosting, and client support operations. It covers corporate offices in Toronto and Calgary and all supporting systems and infrastructure.
3. References
- ISO/IEC 27001:2022 and 27002:2022
- CC-ISMS-001 – ISMS Scope
- CC-ISMS-002 – Information Security Policy
- CC-ISMS-003 – Risk Assessment Methodology
- CC-ISMS-005 – Risk Treatment Process & Plan
- CC-ISMS-008 – Internal Audit Program & Reports
4. Roles & Responsibilities
| Role | Responsibility |
|---|---|
| CEO | Approves the SoA and ensures adequate resources. |
| ISMS Manager | Maintains the SoA, maps risks to controls, and coordinates reviews. |
| IT Manager | Implements and verifies technical controls (e.g., backups, MFA, patching). |
| Procurement Manager | Manages supplier security clauses. |
| Internal Audit | Verifies control effectiveness annually. |
5. Policy / Procedure Summary
- Identify risks using the approved methodology.
- Select controls from Annex A based on treatment plans.
- Document applicability, justification, and evidence in the SoA.
- Review with control owners (IT, HR, Procurement).
- Obtain management approval and publish the current version.
- Update the SoA after audits, incidents, or major organizational changes.
6. Control Summary (Example Entries)
| Control ID | Control Description | Applicability | Justification | Status | Evidence |
|---|---|---|---|---|---|
| A.5.1 | Policies for Information Security | Applicable | Required to guide all MSP staff and contractors in secure operations. | Implemented | Information Security Policy v2.0 approved and distributed. |
| A.5.23 | Information Security for Use of Cloud Services | Applicable | Cloud services are core to managed offerings; necessary to protect client environments. | Implemented | Cloud Security Policy; Azure CSP agreements; SOC 2 certificates on file. |
| A.8.7 | Protection Against Malware | Applicable | Essential for endpoint and server protection across client systems. | Implemented | Centralized EDR dashboard; daily malware scan reports retained for 12 months. |
| A.5.34 | Privacy and Protection of PII | Applicable | MSP handles client user and business data. Compliance with PIPEDA is mandatory. | Implemented | Privacy Impact Assessment and encryption standards in place for all client data. |
7. Review and Continuous Improvement
MapleSecure MSP Inc. reviews this SoA annually and after any major change or security incident. All control mappings are linked to the Risk Register and Risk Treatment Plan to maintain traceability.
8. Retention and Evidence Management
All SoA records are stored in SharePoint (ISMS Records repository) for 6 years. Audit logs, approvals, and supporting evidence are maintained for verification and certification audits.
Why This Matters for MSPs
- Operates transparently with documented, reviewed controls.
- Aligns risk management with service delivery.
- Meets compliance expectations in regulated sectors (e.g., finance, healthcare).
By aligning the SoA with your managed service operations, you strengthen client trust and streamline audits.
Ready to Build Your ISO 27001 Statement of Applicability?
Canadian Cyber specializes in helping Managed Service Providers develop, implement, and audit ISO 27001 controls from crafting your first SoA to achieving certification readiness.
Follow Us
Canadian Cyber Helping MSPs Build, Audit, and Strengthen Their ISO 27001 Frameworks.
