UnixTime

Research Note

Annex A and the Statement of Applicability

Annex A is a reference set of information security controls. The organization uses it to make sure it has not overlooked relevant controls when treating risks.

On this page

Plain-language meaning

Annex A is a reference set of information security controls. The organization uses it to make sure it has not overlooked relevant controls when treating risks.

The Statement of Applicability, or SoA, is the document that explains which Annex A controls apply, which do not, why, and what their implementation status is.

Annex A is not a universal checklist

Not every organization must implement every Annex A control. Controls are selected based on:

  • risk assessment;
  • risk treatment objectives;
  • legal and regulatory requirements;
  • contractual commitments;
  • business requirements;
  • organizational context;
  • outsourced or shared responsibilities.

What the Statement of Applicability should show

A useful SoA normally includes:

Field Purpose
Control reference Identifies the Annex A control
Control name Describes the control
Applicability Applicable / not applicable
Justification Explains why the control is included or excluded
Implementation status Implemented / partially implemented / planned / not implemented
Related risks Links to risk register
Related documents Links to policies, procedures, standards
Evidence location Points to proof of operation
Owner Identifies accountable control owner

Exclusion vs nonconformity

A control can be excluded from implementation if it is not applicable and the decision is justified.

But an unjustified exclusion can become a nonconformity.

Examples:

Situation Likely audit view
Control not applicable because the organization has no relevant process, and this is justified in the SoA Potentially acceptable
Control skipped because implementation is expensive Weak unless risk treatment and risk acceptance support it
Control applicable but not implemented and no treatment plan exists Likely nonconformity
Control marked not applicable without explanation Weak SoA evidence
Control marked implemented but no evidence exists Likely nonconformity

Exam cue

Annex A helps identify controls. The SoA explains decisions.

Memory phrase:

Annex A is the control reference; the SoA is the control decision record.