The auditor has noticed that the auditee does not have a Statement of Applicability. What audit conclusion should the auditor reach?

The conclusion that a lack of a Statement of Applicability indicates a major nonconformity is grounded in the fundamental requirements of ISO/IEC 27001. The Statement of Applicability (SoA) is a key document that outlines the controls applicable to the Information Security Management System (ISMS) and their status in terms of implementation. Its absence signifies a significant gap in the management and application of security controls, which undermines the entire framework of the ISMS.

Not having an SoA means the organization has not adequately identified which controls are needed or how they are applied, leading to potential vulnerabilities in the security posture. This lack of documentation represents a failure to meet the standard’s critical requirements and is substantial enough to impact the overall integrity of the ISMS. Therefore, detecting the absence of an SoA would justifiably lead the auditor to conclude that this constitutes a major nonconformity.