Back to all documents
    Mandatory Policies
    mandatory
    SoA
    compliance

    Statement of Applicability (SoA)

    Lists all Annex A controls with applicability and justification. Mandatory under clause 6.1.3 d).

    Failed to load preview.

    About this Statement of Applicability (SoA)

    The Statement of Applicability (SoA) is a ready-to-use ISO 27001:2022 template designed to help organizations document and operate the controls expected by certification auditors. It maps to clause 6.1.3 of the main ISO 27001 standard.

    Lists all Annex A controls with applicability and justification. Mandatory under clause 6.1.3 d). Use it as the baseline for your ISMS documentation, tailor it to your scope and risk appetite, then maintain it through your normal document-control process.

    What's inside

    • - Pre-written purpose, scope and policy statements
    • - Roles and responsibilities aligned with ISO 27001:2022
    • - Control requirements mapped to clause 6.1.3
    • - Review, approval and version-control sections
    • - Editable Word (.docx) version in the Document Pack

    Who is this for

    • - Companies pursuing ISO 27001:2022 certification
    • - ISMS managers and information security leads
    • - Consultants delivering ISO 27001 implementations
    • - Auditors preparing evidence packs for Stage 1 / Stage 2
    • - SaaS and tech teams formalizing security policies

    ISO 27001:2022 relevance

    • Clause 6.1.3 d) - Statement of Applicability
    • All 93 Annex A controls (ISO 27001:2022)

    How to customise

    • - Mark each control as applicable or not applicable.
    • - Provide a justification for every decision, including exclusions.
    • - Record the implementation status and link to the risk register.
    • - Reference the evidence or document that supports each control.

    Evidence auditors may expect

    • - Completed SoA covering all 93 Annex A controls
    • - Justification for each inclusion and exclusion
    • - Cross-reference from SoA to risks and supporting documents
    • - Version history showing review and approval

    Auditor may ask

    Q.How did you decide which controls are applicable?
    Q.How are exclusions justified and approved?
    Q.How does the SoA stay in sync with the risk treatment plan?
    Q.Where is the evidence that each applicable control is operating?

    These are realistic questions an external auditor may use to test the control. Your answer must be supported by the evidence listed above.

    Get the editable Statement of Applicability (SoA)

    Buy this template on its own for $34, or unlock the full Document Pack for $99 (one-time).