What Is a Statement of Applicability?
The Statement of Applicability (SoA) is a mandatory document required by ISO 27001:2022 Clause 6.1.3d. It lists all 93 Annex A controls and, for each one, states whether it is applicable to your organization and provides justification for its inclusion or exclusion.
The SoA serves three critical purposes:
- Demonstrates completeness: It shows that you have considered every control in the standard and made a deliberate decision about each one
- Links risk assessment to controls: It connects your identified risks to the controls that treat them
- Defines your control baseline: It tells auditors exactly which controls they should expect to find implemented
The SoA is typically one of the first documents an auditor requests during a Stage 1 audit. Errors, omissions, or weak justifications in the SoA will generate nonconformities.
What the SoA Must Contain
Required Information per ISO 27001
For each of the 93 Annex A controls, your SoA must document:
- Control reference and title (e.g., A.5.1 - Policies for Information Security)
- Applicability status (Applicable or Not Applicable)
- Justification for the decision (why included or excluded)
- Implementation status (Implemented, Partially Implemented, Planned, Not Implemented)
Recommended Additional Information
Most organizations include additional columns for practical value:
| Column | Purpose |
|---|---|
| Implementation method | How the control is implemented (policy, technical, procedural) |
| Responsible person | Who owns the control |
| Evidence reference | Link to policy, procedure, or system that implements the control |
| Risk reference | Which risks this control addresses |
| Notes | Additional context for auditors |
SoA Template Structure
Example Entries
Applicable control:
| Field | Value |
|---|---|
| Control | A.5.15 - Access Control |
| Applicable | Yes |
| Justification | Access to information systems must be controlled to prevent unauthorized access to customer data and internal systems. Addresses risks RISK-003, RISK-007, RISK-015. |
| Status | Implemented |
| Method | Access Control Policy (POL-007), RBAC in all production systems, quarterly access reviews |
| Owner | IT Security Manager |
Not applicable control:
| Field | Value |
|---|---|
| Control | A.7.3 - Securing Offices, Rooms and Facilities |
| Applicable | No |
| Justification | The organization operates as a fully remote company with no physical offices or facilities. All infrastructure is cloud-hosted. Employee devices are managed via MDM. |
| Status | N/A |
| Owner | N/A |
Justification Guidelines
For applicable controls: Explain the business need or risk that makes this control necessary. Reference specific risks from your risk register where possible.
For not applicable controls: Provide a clear, specific reason why the control does not apply. Generic statements like "not relevant" are insufficient.
Acceptable exclusion reasons:
- The technology or system the control addresses does not exist in your environment
- The risk the control addresses has been treated through alternative means (specify what)
- The activity the control relates to is out of scope (must align with your scope statement)
- Regulatory or contractual requirements supersede the control
Not acceptable: "We decided not to implement this" or "Not applicable" without explanation.
Organizing the 93 Controls
ISO 27001:2022 organizes Annex A controls into four themes:
Organizational Controls (A.5) - 37 Controls
Covers policies, roles, asset management, access control, supplier relationships, incident management, business continuity, and compliance. These are the governance and management controls.
People Controls (A.6) - 8 Controls
Covers screening, employment terms, security awareness, disciplinary process, post-employment responsibilities, remote working, and event reporting.
Physical Controls (A.7) - 14 Controls
Covers physical security perimeters, entry controls, securing offices, physical security monitoring, protection against environmental threats, working in secure areas, clear desk policy, equipment siting, asset management off-site, storage media, supporting utilities, cabling security, and equipment maintenance.
Technological Controls (A.8) - 34 Controls
Covers endpoint devices, privileged access, access restriction, secure authentication, capacity management, malware protection, vulnerability management, configuration management, information deletion, data masking, data leakage prevention, monitoring, web filtering, secure coding, and more.
Common SoA Mistakes
Mistake 1: Excluding Controls Without Valid Justification
Every exclusion will be questioned by auditors. "We do not do this" is not a justification. You need to explain why the underlying risk does not exist or is addressed another way.
Mistake 2: Not Linking to Risk Assessment
Your SoA should trace back to your risk assessment. If you identified a risk related to unauthorized access, your SoA should show applicable access control controls with references to that risk.
Mistake 3: Stale Implementation Status
If your SoA says a control is "Implemented" but the actual implementation is incomplete or broken, the auditor will find a nonconformity. Keep implementation status accurate and up to date.
Mistake 4: Missing Controls
ISO 27001:2022 has 93 controls. If your SoA shows 80, the auditor will immediately ask about the missing 13. Every control must be listed, even if excluded.
Mistake 5: Copy-Paste Justifications
Using identical justification text for multiple controls suggests you have not actually thought about each one. Tailor justifications to the specific control and your organization's context.
Building Your SoA Efficiently
Working through 93 controls manually is tedious and error-prone. The SoA Generator on iso27001kit.com guides you through every Annex A control with:
- Clear descriptions of what each control requires
- Guided applicability assessment
- Implementation status tracking
- Exportable SoA document formatted for auditor review
The tool ensures you do not miss any controls and helps you write appropriate justifications for each decision.
Generate your Statement of Applicability now - free
Found this article helpful?
Share it with your colleagues.
