Compliance

    ISO 27001 Statement of Applicability (SoA) Template: Free Example + Guide

    The Statement of Applicability is one of the most important documents in your ISMS - and one of the most common sources of audit findings. This guide explains exactly what your SoA must contain, how to justify control decisions, and provides a complete template structure.

    ISO27001KIT|April 8, 2026|14 min read
    ISO 27001 Statement of Applicability (SoA) Template: Free Example + Guide

    What Is a Statement of Applicability?

    The Statement of Applicability (SoA) is a mandatory document required by ISO 27001:2022 Clause 6.1.3d. It lists all 93 Annex A controls and, for each one, states whether it is applicable to your organization and provides justification for its inclusion or exclusion.

    The SoA serves three critical purposes:

    1. Demonstrates completeness: It shows that you have considered every control in the standard and made a deliberate decision about each one
    2. Links risk assessment to controls: It connects your identified risks to the controls that treat them
    3. Defines your control baseline: It tells auditors exactly which controls they should expect to find implemented

    The SoA is typically one of the first documents an auditor requests during a Stage 1 audit. Errors, omissions, or weak justifications in the SoA will generate nonconformities.

    What the SoA Must Contain

    Required Information per ISO 27001

    For each of the 93 Annex A controls, your SoA must document:

    1. Control reference and title (e.g., A.5.1 - Policies for Information Security)
    2. Applicability status (Applicable or Not Applicable)
    3. Justification for the decision (why included or excluded)
    4. Implementation status (Implemented, Partially Implemented, Planned, Not Implemented)

    Recommended Additional Information

    Most organizations include additional columns for practical value:

    ColumnPurpose
    Implementation methodHow the control is implemented (policy, technical, procedural)
    Responsible personWho owns the control
    Evidence referenceLink to policy, procedure, or system that implements the control
    Risk referenceWhich risks this control addresses
    NotesAdditional context for auditors

    SoA Template Structure

    Example Entries

    Applicable control:

    FieldValue
    ControlA.5.15 - Access Control
    ApplicableYes
    JustificationAccess to information systems must be controlled to prevent unauthorized access to customer data and internal systems. Addresses risks RISK-003, RISK-007, RISK-015.
    StatusImplemented
    MethodAccess Control Policy (POL-007), RBAC in all production systems, quarterly access reviews
    OwnerIT Security Manager

    Not applicable control:

    FieldValue
    ControlA.7.3 - Securing Offices, Rooms and Facilities
    ApplicableNo
    JustificationThe organization operates as a fully remote company with no physical offices or facilities. All infrastructure is cloud-hosted. Employee devices are managed via MDM.
    StatusN/A
    OwnerN/A

    Justification Guidelines

    For applicable controls: Explain the business need or risk that makes this control necessary. Reference specific risks from your risk register where possible.

    For not applicable controls: Provide a clear, specific reason why the control does not apply. Generic statements like "not relevant" are insufficient.

    Acceptable exclusion reasons:

    • The technology or system the control addresses does not exist in your environment
    • The risk the control addresses has been treated through alternative means (specify what)
    • The activity the control relates to is out of scope (must align with your scope statement)
    • Regulatory or contractual requirements supersede the control

    Not acceptable: "We decided not to implement this" or "Not applicable" without explanation.

    Organizing the 93 Controls

    ISO 27001:2022 organizes Annex A controls into four themes:

    Organizational Controls (A.5) - 37 Controls

    Covers policies, roles, asset management, access control, supplier relationships, incident management, business continuity, and compliance. These are the governance and management controls.

    People Controls (A.6) - 8 Controls

    Covers screening, employment terms, security awareness, disciplinary process, post-employment responsibilities, remote working, and event reporting.

    Physical Controls (A.7) - 14 Controls

    Covers physical security perimeters, entry controls, securing offices, physical security monitoring, protection against environmental threats, working in secure areas, clear desk policy, equipment siting, asset management off-site, storage media, supporting utilities, cabling security, and equipment maintenance.

    Technological Controls (A.8) - 34 Controls

    Covers endpoint devices, privileged access, access restriction, secure authentication, capacity management, malware protection, vulnerability management, configuration management, information deletion, data masking, data leakage prevention, monitoring, web filtering, secure coding, and more.

    Common SoA Mistakes

    Mistake 1: Excluding Controls Without Valid Justification

    Every exclusion will be questioned by auditors. "We do not do this" is not a justification. You need to explain why the underlying risk does not exist or is addressed another way.

    Mistake 2: Not Linking to Risk Assessment

    Your SoA should trace back to your risk assessment. If you identified a risk related to unauthorized access, your SoA should show applicable access control controls with references to that risk.

    Mistake 3: Stale Implementation Status

    If your SoA says a control is "Implemented" but the actual implementation is incomplete or broken, the auditor will find a nonconformity. Keep implementation status accurate and up to date.

    Mistake 4: Missing Controls

    ISO 27001:2022 has 93 controls. If your SoA shows 80, the auditor will immediately ask about the missing 13. Every control must be listed, even if excluded.

    Mistake 5: Copy-Paste Justifications

    Using identical justification text for multiple controls suggests you have not actually thought about each one. Tailor justifications to the specific control and your organization's context.

    Building Your SoA Efficiently

    Working through 93 controls manually is tedious and error-prone. The SoA Generator on iso27001kit.com guides you through every Annex A control with:

    • Clear descriptions of what each control requires
    • Guided applicability assessment
    • Implementation status tracking
    • Exportable SoA document formatted for auditor review

    The tool ensures you do not miss any controls and helps you write appropriate justifications for each decision.

    Generate your Statement of Applicability now - free

    Tags:
    iso 27001
    statement of applicability
    soa
    annex a
    controls

    Found this article helpful?

    Share it with your colleagues.