Plain-language meaning
Annex A is a reference set of information security controls. The organization uses it to make sure it has not overlooked relevant controls when treating risks.
The Statement of Applicability, or SoA, is the document that explains which Annex A controls apply, which do not, why, and what their implementation status is.
Annex A is not a universal checklist
Not every organization must implement every Annex A control. Controls are selected based on:
- risk assessment;
- risk treatment objectives;
- legal and regulatory requirements;
- contractual commitments;
- business requirements;
- organizational context;
- outsourced or shared responsibilities.
What the Statement of Applicability should show
A useful SoA normally includes:
| Field | Purpose |
|---|---|
| Control reference | Identifies the Annex A control |
| Control name | Describes the control |
| Applicability | Applicable / not applicable |
| Justification | Explains why the control is included or excluded |
| Implementation status | Implemented / partially implemented / planned / not implemented |
| Related risks | Links to risk register |
| Related documents | Links to policies, procedures, standards |
| Evidence location | Points to proof of operation |
| Owner | Identifies accountable control owner |
Exclusion vs nonconformity
A control can be excluded from implementation if it is not applicable and the decision is justified.
But an unjustified exclusion can become a nonconformity.
Examples:
| Situation | Likely audit view |
|---|---|
| Control not applicable because the organization has no relevant process, and this is justified in the SoA | Potentially acceptable |
| Control skipped because implementation is expensive | Weak unless risk treatment and risk acceptance support it |
| Control applicable but not implemented and no treatment plan exists | Likely nonconformity |
| Control marked not applicable without explanation | Weak SoA evidence |
| Control marked implemented but no evidence exists | Likely nonconformity |
Exam cue
Annex A helps identify controls. The SoA explains decisions.
Memory phrase:
Annex A is the control reference; the SoA is the control decision record.
Related notes
- Iso27001
- ISO27002
- Annex a
- Soa
- Risk treatment
Note Metadata
Aliases: SoA, Statement of Applicability
Source: 01 Fundamentals/Annex A and the Statement of Applicability.md
Related Notes
- ISO27001 ISMS KB - Start Here
- Control Attributes and Risk Treatment Effects
- Information Security Management System
- ISO 27001 Clauses 4-10 vs Annex A
- ISO27002 Control Attributes
- Risk Assessment
- Statement of Applicability
- A.5 Organizational Controls MOC
- ISO 27005 Risk Process Notes
- EXAM-001 - Clauses 4-10 vs Annex A
- EXAM-002 - Statement of Applicability
- ISO 27001 Knowledge Base
- Annex A Controls MOC
- Exam Cues Index
- ISO 27001 Overview