What is Statement of Applicability (SoA)?

A Statement of Applicability (SoA) is the required ISO/IEC 27001 document that addresses all 93 Annex A controls and records, for each, whether it applies, the justification for inclusion or exclusion, and its implementation status. It links your risk assessment to your chosen controls and is one of the documents auditors scrutinize most closely.

The SoA is the central control document of an ISO 27001 ISMS. It must cover every Annex A control so an auditor can see at a glance which controls you have adopted, why, and whether each is implemented. For included controls it ties back to the risks they treat; for excluded controls it states a defensible reason (for example, no on-premises data center, so certain physical controls do not apply).

Concretely, if your risk treatment plan selects multi-factor authentication and access reviews, the SoA marks the relevant Annex A access controls as applicable and points to the policies and evidence behind them. A vague or inconsistent SoA is a common source of audit findings, so precision matters.

A good template gives you a pre-populated SoA listing all 93 controls with sample justifications and status fields, so you adjust rather than build the spreadsheet from scratch. That can save days of work, but the SoA must reflect your real risk decisions and operating controls -- it documents readiness, it does not create it. Certification still requires an accredited body to audit the live ISMS.

Related terms: Annex A Controls · Risk Treatment Plan · Risk Assessment · Audit Evidence

Frequently asked questions

Is a Statement of Applicability mandatory for ISO 27001?
Yes. The SoA is one of the explicitly required documents in ISO/IEC 27001 (clause 6.1.3). An ISMS cannot be certified without one.
What is the difference between an SoA and a Risk Treatment Plan?
The Risk Treatment Plan says how you will treat specific identified risks and who does what by when; the SoA is the master list of all Annex A controls with each marked applicable or not, justified, and given an implementation status. They are linked but serve different purposes.
Can I exclude controls in the SoA?
Yes, you may exclude Annex A controls that are not applicable, but you must record a clear justification for each exclusion. Auditors review these exclusions carefully to ensure no relevant risk is left untreated.

Toolkits that cover Statement of Applicability (SoA)

ISO/IEC 27001:2022

ISO 27001 Policy Pack — Core

16 editable ISO/IEC 27001:2022 policies plus the full 93-control Statement of Applicability — everything a small business needs to start its ISMS.

$5930% off with codeView toolkit
ISO/IEC 27001:2022

ISO 27001 Complete Toolkit

All 24 policies and procedures plus the risk register, 93-control Statement of Applicability and audit evidence checklist — audit-ready from day one.

$9930% off with codeView toolkit
ISO 27001:2022 + SOC 2

ISO 27001 + SOC 2 Dual Toolkit

47 documents covering both frameworks plus a control crosswalk, risk register, Statement of Applicability and TSC mapping — run one security program, pass two audits.

$14930% off with codeView toolkit

Learn more in our ISO/IEC 27001 guide, explore the editable policy templates, or browse the full compliance glossary.

← Back to the compliance glossary

Professional editable templates — general information only, not legal, audit, tax, or certification advice, and no professional or advisory relationship is created. No purchase makes an organization compliant or certified. Review each document with qualified counsel, your compliance professional, or your auditor before relying on it. ISO, IEC, SOC 2, AICPA, HIPAA, NIST, GDPR, the EU AI Act, IRS and FTC are referenced descriptively only; ComplianceDocs (ExpertEngine LLC) is independent and is not affiliated with, endorsed by, or certified by any standards body, regulator, or audit firm.