Back to all documents
    Excel Workbooks
    template
    SoA
    excel

    Statement of Applicability (Excel)

    All 93 Annex A controls with applicability and justification columns. First sheet preview only - extra sheets unlock with the pack.

    Excel workbook preview

    ISO 27001 Statement of Applicability - workbook walkthrough

    Live preview

    A 6-sheet Excel workbook for issuing your Statement of Applicability against ISO 27001:2022 Annex A: instructions, live dashboard, the main SoA, an implementation plan tracker, completion guidance and legend, and the full Annex A control library.

    1Sheet 1 of 6

    Instructions

    Read-first sheet that explains what the SoA is for, how the workbook is structured and the recommended order for filling it in.

    • -Tab-by-tab description of the workbook
    • -Notes on document control and approval
    • -Pointers to the Implementation Plan for gaps
    A1fxSection
    AB
    1SectionDescription
    21. InstructionsThis sheet - read first.
    32. DashboardLive summary of applicability and implementation status.
    43. Statement of ApplicabilityMain working sheet - all 93 Annex A controls.
    54. Implementation PlanTracker for Planned and Partially Implemented controls.
    65. Guidance & LegendField-level guidance for completing the SoA.
    76. Annex A LibraryFull Annex A control reference and suggested evidence.
    Instructions
    2Sheet 2 of 6

    Dashboard

    Live counts of applicability and implementation status across all 93 Annex A controls, plus a 5-step completion guidance table for the ISMS Lead.

    • -Applicable / Not Applicable / To Be Determined counts
    • -Implementation status counts (Implemented, Partial, Planned, Not Implemented)
    • -Overdue Reviews and Implementation Completion %
    A1fxMetric
    ABCD
    1MetricValueImplementation StatusCount
    2Total Annex A Controls93Implemented0
    3Applicable Controls0Partially Implemented0
    4Not Applicable Controls0Planned0
    5To Be Determined93Not Implemented93
    6Outstanding Controls0N/A0
    7Overdue Reviews0Blank0
    Counts shown are the workbook's default state before you complete the SoA - every control starts as 'To Be Determined / Not Implemented'.
    Dashboard
    3Sheet 3 of 6

    Statement of Applicability

    The main SoA sheet - one row per Annex A control with applicability decision, implementation status, justification, implementation description, linked Risk IDs, treatment basis, evidence reference and control owner.

    • -All 93 ISO 27001:2022 Annex A controls pre-loaded
    • -12 columns including Risk ID(s) and Treatment Basis - so the SoA traces back to risks
    • -Drop-downs for Applicable (Yes / No / TBD) and Implementation Status
    A1fxTheme
    ABCDEF
    1ThemeControl IDControl NameApplicableStatusOwner
    2A.5 OrganizationalA.5.1Policies for information securityTo be determinedNot ImplementedSenior Management / ISMS Lead
    3A.5 OrganizationalA.5.2Information security roles and responsibilitiesTo be determinedNot ImplementedSenior Management / ISMS Lead
    4A.5 OrganizationalA.5.3Segregation of dutiesTo be determinedNot ImplementedISMS Lead / Process Owners
    5A.5 OrganizationalA.5.4Management responsibilitiesTo be determinedNot ImplementedSenior Management
    6A.5 OrganizationalA.5.5Contact with authoritiesTo be determinedNot ImplementedCompliance Owner / ISMS Lead
    7A.5 OrganizationalA.5.6Contact with special interest groupsTo be determinedNot ImplementedISMS Lead / Security Team
    6 of 93 controls shown; columns abbreviated for preview. Full sheet has 12 columns including Control Intent, Justification, Implementation Description, Risk ID(s), Treatment Basis and Evidence Reference.
    Statement of Applicability
    4Sheet 4 of 6

    Implementation Plan

    Tracker for controls marked Planned or Partially Implemented on the SoA. Records the gap, planned action, owner, target date, status and closure notes.

    • -Pulls Control Name in via VLOOKUP from Annex A Library
    • -Priority, Status and Evidence Reference per action
    • -Closure Notes column for sign-off and audit trail
    A1fxPriority
    ABCDEFGH
    1PriorityControl IDControl NameGap / IssuePlanned ActionOwnerTarget DateStatus
    2[Priority][Control ID]= VLOOKUP from Annex A Library[Gap / Issue][Planned Action][Responsible Owner][Target Date][Status]
    Sheet ships empty with the formulas in place - rows populate as you mark controls Planned or Partially Implemented on the SoA.
    Implementation Plan
    5Sheet 5 of 6

    Guidance & Legend

    Field-level completion guidance: every column on the SoA explained with allowed values, meaning and how to complete it for audit.

    • -Per-field guidance covering all SoA columns
    • -Allowed values for every drop-down
    • -Notes on document control, approval and review
    A1fxField
    ABCD
    1FieldAllowed ValuesMeaningCompletion Guidance
    2ApplicableYes / No / To be determinedWhether the control is required for the ISMS scopeMark No only when the control is not relevant; justify every exclusion.
    3Implementation StatusImplemented / Partially Implemented / Planned / Not Implemented / N/ACurrent implementation state of the controlMatch status to evidence; Planned and Partial controls go to the Implementation Plan.
    4Applicability JustificationFree textWhy the control is or is not applicableRequired for every control, especially exclusions.
    5Risk ID(s)R-### from Risk RegisterRisks this control treatsLets the SoA trace back to the risk assessment.
    Guidance & Legend
    6Sheet 6 of 6

    Annex A Library

    Full ISO 27001:2022 Annex A control library used to populate the SoA. Provides theme, control intent / audit focus, suggested evidence, typical owner, control type and cybersecurity concept.

    • -All 93 Annex A:2022 controls listed
    • -Suggested Evidence and Typical Owner per control
    • -Control Type and Cybersecurity Concept (NIST CSF style)
    A1fxTheme
    ABCDE
    1ThemeControl IDControl NameSuggested EvidenceTypical Owner
    2A.5 OrganizationalA.5.1Policies for information securityInformation Security Policy; policy approval recordSenior Management / ISMS Lead
    3A.5 OrganizationalA.5.2Information security roles and responsibilitiesRoles and Responsibilities Matrix; ISMS CharterSenior Management / ISMS Lead
    4A.5 OrganizationalA.5.3Segregation of dutiesAccess Control Policy; segregation of duties matrixISMS Lead / Process Owners
    5A.5 OrganizationalA.5.4Management responsibilitiesInformation Security Policy; HR Security PolicySenior Management
    4 of 93 controls shown - the full Annex A:2022 library is loaded in the workbook.
    Annex A Library

    Unlock the full workbook

    Buy just this template, or unlock the full ISO 27001 policy and template set in clean, editable Word format with the Document Pack for $99.

    About this Statement of Applicability (Excel)

    The Statement of Applicability (Excel) is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors.

    All 93 Annex A controls with applicability and justification columns. First sheet preview only - extra sheets unlock with the pack. Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to ISO 27001:2022
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Supports ISO 27001:2022 of ISO 27001:2022
    • Contributes to the documented information required by clause 7.5

    How to customise

    • - Insert your organisation name, scope, and document owner.
    • - Adapt scope statements and definitions to your environment.
    • - Align responsibilities with your actual roles and team structure.
    • - Approve, version, and publish via your document control process.

    Evidence auditors may expect

    • - Approved and dated version of the document
    • - Evidence the document is communicated to relevant staff
    • - Records showing the controls described are actually performed
    • - Review history demonstrating the document is kept current

    Auditor may ask

    Q.Who owns the statement of applicability (excel), and when was it last reviewed?
    Q.How is this document communicated to the people who need it?
    Q.What evidence shows the controls described are operating?
    Q.How is the document updated when scope or risk changes?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Get the editable Statement of Applicability (Excel)

    Buy this template on its own for $39, or unlock the full Document Pack for $99 (one-time).