Statement of Applicability

Document Control

Document Information

Document Name	Document Number	Owner
Statement of ApplicabilitYes	MI2I-01/2025	Mozhar Alhosni

Revision History

Version	Name	Job Title	Date	Summary of Revision
1	Mozhar Alhosni	Cybersecurity GRC Consultant	#DATE_OF_REVISION#	1^st Release

Document Approvals

Name	Title	Date	Method
#GRC Chief NAME#	CEO	6/25/2025	Email

Purpose

The Statement of Applicability (SoA) is a core document within the Information Security Management System (ISMS). It identifies all ISO/IEC 27001:2022 Annex A controls, states wether each control is applicable or not, and provides justification for that decision. For applicable controls, the SoA also describes the implementation status and references to supporting policies, procedures, and technical measures.

The SoA ensures a clear and traceable link between identified risks, risk treatment decisions, and the controls selected to manage those risks. It acts as a central register of controls, demonstrating how Masdr protects information assets and meets regulatory, contractual, and business requirements.

Statement of Applicability for ISO 27001:2022 Controls

Control ID	Control Family	Control Name	Implemented (Yes/No)	Justification	Implementation Status	Supporting Policies, Procedures, and Technical Measures
5.1	Organizational Controls	Policies for information security	Yes	NA	NA	NA
5.2	Organizational Controls	Information security roles and responsibilities	Yes	NA	NA	NA
5.3	Organizational Controls	Segregation of duties	Yes	NA	NA	NA
5.4	Organizational Controls	Management responsibilities	Yes	NA	NA	NA
5.5	Organizational Controls	Contact with authorities	Yes	NA	NA	NA
5.6	Organizational Controls	Contact with special interest groups	Yes	NA	NA	NA
5.7	Organizational Controls	Threat Intelligence	Yes	NA	NA	NA
5.8	Organizational Controls	Information security in project management	Yes	NA	NA	NA
5.9	Organizational Controls	Inventory of information and other associated assets	Yes	NA	NA	NA
5.10	Organizational Controls	Acceptable use of information and other associated assets	Yes	NA	NA	NA
5.11	Organizational Controls	Return of assets	Yes	NA	NA	NA
5.12	Organizational Controls	Classification of information	Yes	NA	NA	NA
5.13	Organizational Controls	Labelling of information	Yes	NA	NA	NA
5.14	Organizational Controls	Information transfer	Yes	NA	NA	NA
5.15	Organizational Controls	Access Control	Yes	NA	NA	NA
5.16	Organizational Controls	Identity management	Yes	NA	NA	NA
5.17	Organizational Controls	Authentication information	Yes	NA	NA	NA
5.18	Organizational Controls	Access rights	Yes	NA	NA	NA
5.19	Organizational Controls	Information security in supplier relationships	Yes	NA	NA	NA
5.20	Organizational Controls	Addressing information security within supplier agreements	Yes	NA	NA	NA
5.21	Organizational Controls	Managing information security in the information and communication technology (ICT) supply chain	Yes	NA	NA	NA
5.22	Organizational Controls	Monitoring, review and change management of supplier services	Yes	NA	NA	NA
5.23	Organizational Controls	Information security for use of cloud services	Yes	NA	NA	NA
5.24	Organizational Controls	Information security incident management planning and preparation	Yes	NA	NA	NA
5.25	Organizational Controls	Assessment and decision on information security events	Yes	NA	NA	NA
5.26	Organizational Controls	Response to information security incidents	Yes	NA	NA	NA
5.27	Organizational Controls	Learning from information security incidents	Yes	NA	NA	NA
5.28	Organizational Controls	Collection of evidence	Yes	NA	NA	NA
5.29	Organizational Controls	Information security during disruption	Yes	NA	NA	NA
5.30	Organizational Controls	ICT readiness for business continuity	Yes	NA	NA	NA
5.31	Organizational Controls	Legal, statutory, regulatory and contractual requirements	Yes	NA	NA	NA
5.32	Organizational Controls	Intellectual property rights	Yes	NA	NA	NA
5.33	Organizational Controls	Protection of records	Yes	NA	NA	NA
5.34	Organizational Controls	Privacy and protection of personal identifiable information (PII)	Yes	NA	NA	NA
5.35	Organizational Controls	Independent review of information security	Yes	NA	NA	NA
5.36	Organizational Controls	Compliance with policies, rules and standards for information security	Yes	NA	NA	NA
5.37	Organizational Controls	Documented operating procedures	Yes	NA	NA	NA
6.1	People Controls	Screening	Yes	NA	NA	NA
6.2	People Controls	Terms and conditions of employment	Yes	NA	NA	NA
6.3	People Controls	Information security awareness, education and training	Yes	NA	NA	NA
6.4	People Controls	Disciplinary process	Yes	NA	NA	NA
6.5	People Controls	Responsibilities after termination or change of employment	Yes	NA	NA	NA
6.6	People Controls	Confidentiality or non-disclosure agreements	Yes	NA	NA	NA
6.7	People Controls	Remote working	Yes	NA	NA	NA
6.8	People Controls	Information security event reporting	Yes	NA	NA	NA
7.1	Physical Controls	Physical security perimeters	Yes	NA	NA	NA
7.2	Physical Controls	Physical entry	Yes	NA	NA	NA
7.3	Physical Controls	Securing offices, rooms and facilities	Yes	NA	NA	NA
7.4	Physical Controls	Physical security monitoring	Yes	NA	NA	NA
7.5	Physical Controls	Protecting against physical and environmental threats	Yes	NA	NA	NA
7.6	Physical Controls	Working in secure areas	Yes	NA	NA	NA
7.7	Physical Controls	Clear desk and clear screen	Yes	NA	NA	NA
7.8	Physical Controls	Equipment siting and protection	Yes	NA	NA	NA
7.9	Physical Controls	Security of assets off-premises	Yes	NA	NA	NA
7.10	Physical Controls	Storage media	Yes	NA	NA	NA
7.11	Physical Controls	Supporting utilities	Yes	NA	NA	NA
7.12	Physical Controls	Cabling security	Yes	NA	NA	NA
7.13	Physical Controls	Equipment maintenance	Yes	NA	NA	NA
7.14	Physical Controls	Secure disposal or re-use of equipment	Yes	NA	NA	NA
8.1	Technological Controls	User end point devices	Yes	NA	NA	NA
8.2	Technological Controls	Privileged access rights	Yes	NA	NA	NA
8.3	Technological Controls	Information access restriction	Yes	NA	NA	NA
8.4	Technological Controls	Access to source code	Yes	NA	NA	NA
8.5	Technological Controls	Secure authentication	Yes	NA	NA	NA
8.6	Technological Controls	Capacity management	Yes	NA	NA	NA
8.7	Technological Controls	Protection against malware	Yes	NA	NA	NA
8.8	Technological Controls	Management of technical vulnerabilities	Yes	NA	NA	NA
8.9	Technological Controls	Configuration management	Yes	NA	NA	NA
8.10	Technological Controls	Information deletion	Yes	NA	NA	NA
8.11	Technological Controls	Data masking	Yes	NA	NA	NA
8.12	Technological Controls	Data leakage prevention	Yes	NA	NA	NA
8.13	Technological Controls	Information backup	Yes	NA	NA	NA
8.14	Technological Controls	Redundancy of information processing facilities	Yes	NA	NA	NA
8.15	Technological Controls	Logging	Yes	NA	NA	NA
8.16	Technological Controls	Monitoring activities	Yes	NA	NA	NA
8.17	Technological Controls	Clock synchronization	Yes	NA	NA	NA
8.18	Technological Controls	Use of privileged utility programs	Yes	NA	NA	NA
8.19	Technological Controls	Installation of software on operational systems	Yes	NA	NA	NA
8.20	Technological Controls	Networks security	Yes	NA	NA	NA
8.21	Technological Controls	Security of network services	Yes	NA	NA	NA
8.22	Technological Controls	Segregation of networks	Yes	NA	NA	NA
8.23	Technological Controls	Web filtering	Yes	NA	NA	NA
8.24	Technological Controls	Use of cryptographYes	Yes	NA	NA	NA
8.25	Technological Controls	Secure development life cycle	Yes	NA	NA	NA
8.26	Technological Controls	Application security requirements	Yes	NA	NA	NA
8.27	Technological Controls	Secure system architecture and engineering principles	Yes	NA	NA	NA
8.28	Technological Controls	Secure coding	Yes	NA	NA	NA
8.29	Technological Controls	Security testing in development and acceptance	Yes	NA	NA	NA
8.30	Technological Controls	Outsourced development	Yes	NA	NA	NA
8.31	Technological Controls	Separation of development, test and production environments	Yes	NA	NA	NA
8.32	Technological Controls	Change management	Yes	NA	NA	NA
8.33	Technological Controls	Test information	Yes	NA	NA	NA
8.34	Technological Controls	Protection of information systems during audit testing	Yes	NA	NA	NA