Definition

Statement of applicability

The statement of applicability (SoA) is a mandatory ISO 27001 document justifying inclusion or exclusion of each Annex A control.

The SoA lists all 93 Annex A controls, indicates which are applicable, justifies exclusions and references implementation documents. It links risk assessment to implemented controls and is a focal point of every certification audit.

Key aspects

Exclusion justification

Each excluded control must have documented valid justification. Auditors verify no risks are left untreated.

Link to risk assessment

Control selection must derive from risk assessment and treatment results. It is the risk-control traceability.

Living document

Must be updated when risks, controls or ISMS scope change.

Frequently asked questions

Technically yes, with valid justification. However, fundamental controls like security policy are very difficult to justify as not applicable.

Yes. It is one of the first documents the certification auditor reviews. It is the control audit roadmap.

Comparison

Ready to act on these findings?

Need an assessment in this area?

Request diagnosis→View research→

Loading content…

Statement of applicability

Key aspects

Exclusion justification

Link to risk assessment

Living document

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Statement of applicability

Key aspects

Exclusion justification

Link to risk assessment

Living document

Frequently asked questions

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Statement of applicability

Key aspects

Exclusion justification

Link to risk assessment

Living document

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?

Statement of applicability

Key aspects

Exclusion justification

Link to risk assessment

Living document

Frequently asked questions

Related content

ISO 27001 vs ISO 42001: key differences between information security and AI management

ISO 9001 vs ISO 27001: quality management vs information security

How to implement ISO 27001 in your organization

How to prepare for an ISO audit

Shadow AI: artificial intelligence use without formal governance

Personal data breach: exposure assessment and privacy controls

Ready to act on these findings?