Most ISO 27001 implementation in UAE projects succeed or fail on two documents, and neither of them is the policy manual. The risk assessment and the Statement of Applicability are the engine of the whole system. Get them right and the controls, the evidence, and the audit fall into place.
We see teams pour weeks into writing policies before they have decided what they are protecting against. That is backwards. An information security management system is built from risk outwards, and the ISO 27001 standard is explicit about the order.
Table of Contents
Start With the Risk Assessment, Not the Controls
Clause 6.1.2 of ISO/IEC 27001 requires a consistent risk assessment. You identify the risks to confidentiality, integrity and availability, assign owners, and analyse likelihood and impact. The method matters less than applying it the same way every time, because repeatable results are what an auditor tests.
The common failure is a risk assessment built to justify the controls the team already wanted, rather than one that surfaces the risks the business actually carries. In our experience, that inversion is why some systems look complete on paper yet miss the exposure that later causes an incident.
The Statement of Applicability Is the Spine of ISO 27001 Implementation in UAE
Clause 6.1.3 turns risk into treatment. You select controls to treat each risk, then record every decision in the Statement of Applicability. The SoA lists all 93 Annex A controls of ISO 27001:2022, whether each applies, the justification for including or excluding it, and its implementation status.
Those 93 controls sit in four themes: 37 organisational, 8 people, 14 physical, and 34 technological. You are not required to implement all of them. You are required to justify your choices against your risk assessment, and the SoA is where an auditor checks that the logic of your ISO 27001 implementation in UAE holds together.
Map Control Selection to UAE Obligations
This is where UAE implementations differ from a generic template. Annex A expects you to account for legal and regulatory requirements, so control selection must reflect local law. The UAE Personal Data Protection Law, enforced by the UAE Data Office, shapes how you treat personal data controls. For Dubai government entities and their suppliers, the DESC Information Security Regulation adds its own control expectations that should be mapped into the SoA rather than run as a separate exercise.
Skipping this mapping is the most expensive shortcut we see. A Statement of Applicability that ignores PDPL or DESC obligations can pass the ISO audit yet leave a compliance gap that a regulator or a client’s due diligence will find. Building the mapping once, inside the SoA, is far cheaper than maintaining two parallel control sets.
We reviewed one Dubai firm whose SoA marked forty controls as implemented, yet half had no evidence behind them. The risk assessment had been copied from a template, so the controls traced back to nothing. Rebuilding both took less time than defending the gaps would have at Stage 2.
From SoA to Evidence
A control listed as applicable in the SoA has to be demonstrable. This is where ISMS implementation becomes real work: each applicable control needs an owner, an operating routine, and evidence that it runs. The gap between a control marked implemented and a control that actually produces evidence is where Stage 2 audits stall.
Our principal consultants treat the SoA as a living register, not a one-off audit artefact. Reviewed each quarter against new risks and changes in the business, it keeps the system aligned between audits and makes recertification a continuation rather than a rebuild.
Getting the Help Right
Most organisations do not have a full-time risk and controls specialist, which is why the risk assessment and SoA are the phases where external support pays for itself in any ISO 27001 implementation in UAE. Experienced ISO certification companies in Dubai bring a tested risk methodology and a control library, so you are not inventing the framework while learning the standard. For how this fits the wider budget, see our guide to ISO 27001 implementation cost.
The goal is not to outsource the system, it is to build one your team can run. A well-constructed risk assessment and SoA give you that, because they encode the reasoning behind every control in a form your people can maintain. That is what makes an ISO 27001 implementation stick after the certificate arrives.
Get the Risk Assessment and SoA Right First
The fastest route through an ISO 27001 audit is a risk assessment and Statement of Applicability that actually hold together. We will build both with your team, mapped to your UAE obligations, so the controls and evidence follow logically.
Frequently Asked Questions (FAQs)
Do we have to implement all 93 Annex A controls for ISO 27001 implementation in UAE?
No. ISO/IEC 27001 requires you to select the controls that treat the risks in your assessment and to justify inclusions and exclusions in the Statement of Applicability. Many organisations apply a substantial portion, depending on scope and risk, but the standard is risk-driven, not a fixed checklist.
How does the SoA affect our ISO 27001 certification in UAE audit?
The Statement of Applicability is the document the auditor works from. At Stage 1 they review it against your risk assessment; at Stage 2 they sample the controls it marks applicable and ask for evidence. A weak SoA is the most common reason ISO 27001 certification UAE audits raise findings, especially for firms in Dubai free zones whose clients demand strong control evidence.
Does the certification body's ISO 27001 accreditation matter here?
Yes, indirectly. An accredited body audits your SoA and risk treatment against ISO/IEC 27001, and its accreditation scope for ISO/IEC 27001, sometimes called ISO 27001 accreditation, is what makes the resulting certificate recognised by clients and regulators. A robust SoA is what lets that audit go smoothly.



