Statement of Applicability (SoA)
A mandatory ISO 27001 document that lists all Annex A controls, states which are applicable, and explains why others are excluded.
The Statement of Applicability (SoA) is a core document required by ISO 27001. It provides a comprehensive overview of all controls from Annex A of the standard, documenting for each control whether it is applicable to the organization, the justification for its inclusion or exclusion, and the current implementation status. It serves as the central reference linking the organization's risk treatment decisions to its actual security controls.
ISO/IEC 27001:2022 Annex A contains 93 controls organized into four themes: Organizational, People, Physical, and Technological. An organization may exclude controls that are not relevant given its risk assessment results or business context, but every exclusion must be justified. The SoA is a living document — it must be kept up to date as controls are implemented, changed, or retired.
During an ISO 27001 certification audit, auditors use the SoA as a key reference document to verify that the organization has considered all controls and can demonstrate the implementation of those it has declared applicable. A well-maintained SoA is therefore not just a compliance formality but a practical governance tool that shows the maturity of the ISMS.
Legal Basis
ISO/IEC 27001:2022 (Clause 6.1.3 d)
Practical Example
During its ISO 27001 certification project, a technology company creates its Statement of Applicability. Working through all 93 controls in Annex A, the team marks 85 as applicable based on the risk assessment results and the company's operating context. Eight controls — mostly related to physical security of industrial equipment not present in the company's environment — are excluded with documented justifications. The SoA is reviewed and approved by senior management before the certification audit.