Statement of Applicability (Excel)
All 93 Annex A controls with applicability and justification columns. First sheet preview only - extra sheets unlock with the pack.
Excel workbook preview
ISO 27001 Statement of Applicability - workbook walkthrough
A 6-sheet Excel workbook for issuing your Statement of Applicability against ISO 27001:2022 Annex A: instructions, live dashboard, the main SoA, an implementation plan tracker, completion guidance and legend, and the full Annex A control library.
Instructions
Read-first sheet that explains what the SoA is for, how the workbook is structured and the recommended order for filling it in.
- -Tab-by-tab description of the workbook
- -Notes on document control and approval
- -Pointers to the Implementation Plan for gaps
| A | B | |
|---|---|---|
| 1 | Section | Description |
| 2 | 1. Instructions | This sheet - read first. |
| 3 | 2. Dashboard | Live summary of applicability and implementation status. |
| 4 | 3. Statement of Applicability | Main working sheet - all 93 Annex A controls. |
| 5 | 4. Implementation Plan | Tracker for Planned and Partially Implemented controls. |
| 6 | 5. Guidance & Legend | Field-level guidance for completing the SoA. |
| 7 | 6. Annex A Library | Full Annex A control reference and suggested evidence. |
Dashboard
Live counts of applicability and implementation status across all 93 Annex A controls, plus a 5-step completion guidance table for the ISMS Lead.
- -Applicable / Not Applicable / To Be Determined counts
- -Implementation status counts (Implemented, Partial, Planned, Not Implemented)
- -Overdue Reviews and Implementation Completion %
| A | B | C | D | |
|---|---|---|---|---|
| 1 | Metric | Value | Implementation Status | Count |
| 2 | Total Annex A Controls | 93 | Implemented | 0 |
| 3 | Applicable Controls | 0 | Partially Implemented | 0 |
| 4 | Not Applicable Controls | 0 | Planned | 0 |
| 5 | To Be Determined | 93 | Not Implemented | 93 |
| 6 | Outstanding Controls | 0 | N/A | 0 |
| 7 | Overdue Reviews | 0 | Blank | 0 |
Statement of Applicability
The main SoA sheet - one row per Annex A control with applicability decision, implementation status, justification, implementation description, linked Risk IDs, treatment basis, evidence reference and control owner.
- -All 93 ISO 27001:2022 Annex A controls pre-loaded
- -12 columns including Risk ID(s) and Treatment Basis - so the SoA traces back to risks
- -Drop-downs for Applicable (Yes / No / TBD) and Implementation Status
| A | B | C | D | E | F | |
|---|---|---|---|---|---|---|
| 1 | Theme | Control ID | Control Name | Applicable | Status | Owner |
| 2 | A.5 Organizational | A.5.1 | Policies for information security | To be determined | Not Implemented | Senior Management / ISMS Lead |
| 3 | A.5 Organizational | A.5.2 | Information security roles and responsibilities | To be determined | Not Implemented | Senior Management / ISMS Lead |
| 4 | A.5 Organizational | A.5.3 | Segregation of duties | To be determined | Not Implemented | ISMS Lead / Process Owners |
| 5 | A.5 Organizational | A.5.4 | Management responsibilities | To be determined | Not Implemented | Senior Management |
| 6 | A.5 Organizational | A.5.5 | Contact with authorities | To be determined | Not Implemented | Compliance Owner / ISMS Lead |
| 7 | A.5 Organizational | A.5.6 | Contact with special interest groups | To be determined | Not Implemented | ISMS Lead / Security Team |
Implementation Plan
Tracker for controls marked Planned or Partially Implemented on the SoA. Records the gap, planned action, owner, target date, status and closure notes.
- -Pulls Control Name in via VLOOKUP from Annex A Library
- -Priority, Status and Evidence Reference per action
- -Closure Notes column for sign-off and audit trail
| A | B | C | D | E | F | G | H | |
|---|---|---|---|---|---|---|---|---|
| 1 | Priority | Control ID | Control Name | Gap / Issue | Planned Action | Owner | Target Date | Status |
| 2 | [Priority] | [Control ID] | = VLOOKUP from Annex A Library | [Gap / Issue] | [Planned Action] | [Responsible Owner] | [Target Date] | [Status] |
Guidance & Legend
Field-level completion guidance: every column on the SoA explained with allowed values, meaning and how to complete it for audit.
- -Per-field guidance covering all SoA columns
- -Allowed values for every drop-down
- -Notes on document control, approval and review
| A | B | C | D | |
|---|---|---|---|---|
| 1 | Field | Allowed Values | Meaning | Completion Guidance |
| 2 | Applicable | Yes / No / To be determined | Whether the control is required for the ISMS scope | Mark No only when the control is not relevant; justify every exclusion. |
| 3 | Implementation Status | Implemented / Partially Implemented / Planned / Not Implemented / N/A | Current implementation state of the control | Match status to evidence; Planned and Partial controls go to the Implementation Plan. |
| 4 | Applicability Justification | Free text | Why the control is or is not applicable | Required for every control, especially exclusions. |
| 5 | Risk ID(s) | R-### from Risk Register | Risks this control treats | Lets the SoA trace back to the risk assessment. |
Annex A Library
Full ISO 27001:2022 Annex A control library used to populate the SoA. Provides theme, control intent / audit focus, suggested evidence, typical owner, control type and cybersecurity concept.
- -All 93 Annex A:2022 controls listed
- -Suggested Evidence and Typical Owner per control
- -Control Type and Cybersecurity Concept (NIST CSF style)
| A | B | C | D | E | |
|---|---|---|---|---|---|
| 1 | Theme | Control ID | Control Name | Suggested Evidence | Typical Owner |
| 2 | A.5 Organizational | A.5.1 | Policies for information security | Information Security Policy; policy approval record | Senior Management / ISMS Lead |
| 3 | A.5 Organizational | A.5.2 | Information security roles and responsibilities | Roles and Responsibilities Matrix; ISMS Charter | Senior Management / ISMS Lead |
| 4 | A.5 Organizational | A.5.3 | Segregation of duties | Access Control Policy; segregation of duties matrix | ISMS Lead / Process Owners |
| 5 | A.5 Organizational | A.5.4 | Management responsibilities | Information Security Policy; HR Security Policy | Senior Management |
Unlock the full workbook
Buy just this template, or unlock the full ISO 27001 policy and template set in clean, editable Word format with the Document Pack for $99.
About this Statement of Applicability (Excel)
The Statement of Applicability (Excel) is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors.
All 93 Annex A controls with applicability and justification columns. First sheet preview only - extra sheets unlock with the pack. Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.
What's inside
- - Pre-written purpose, scope and policy statements
- - Roles and responsibilities aligned with ISO 27001:2022
- - Control requirements mapped to ISO 27001:2022
- - Review, approval and version-control sections
- - Editable Word (.docx) version in the Document Pack
Who is this for
- - Companies pursuing ISO 27001:2022 certification
- - ISMS managers and information security leads
- - Consultants delivering ISO 27001 implementations
- - Auditors preparing evidence packs for Stage 1 / Stage 2
- - SaaS and tech teams formalizing security policies
ISO 27001:2022 relevance
- Supports ISO 27001:2022 of ISO 27001:2022
- Contributes to the documented information required by clause 7.5
How to customise
- - Insert your organisation name, scope, and document owner.
- - Adapt scope statements and definitions to your environment.
- - Align responsibilities with your actual roles and team structure.
- - Approve, version, and publish via your document control process.
Evidence auditors may expect
- - Approved and dated version of the document
- - Evidence the document is communicated to relevant staff
- - Records showing the controls described are actually performed
- - Review history demonstrating the document is kept current
Auditor may ask
These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.
Related ISO 27001 documents
Get the editable Statement of Applicability (Excel)
Buy this template on its own for $39, or unlock the full Document Pack for $99 (one-time).
