UnixTime

Research Note

Statement of Applicability

The Statement of Applicability, usually called the SoA, is the ISO/IEC 27001 control decision record.

On this page

Plain-language meaning

The Statement of Applicability, usually called the SoA, is the ISO/IEC 27001 control decision record.

It explains which Annex A controls apply, which do not apply, why those decisions were made, and what the implementation status is.

Why this matters

The SoA prevents Annex A from becoming a blind checklist. It ties control decisions back to Risk Assessment, risk treatment, legal obligations, contractual requirements, business context, and the organization’s Information Security Management System.

If a control is excluded without a clear justification, that is weak evidence and can become a nonconformity.

What a useful SoA should include

Field Purpose
Control reference Identifies the Annex A control
Control name States the control being assessed
Applicability Shows whether the control applies
Justification Explains why the control is included or excluded
Implementation status Shows whether the control is implemented, partial, planned, or not implemented
Related risks Connects the control to the risk register
Related documents Links policies, procedures, standards, or playbooks
Evidence location Points auditors to proof
Control owner Shows accountability

Implementation guidance

Implementer focus

Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.

  • Build the SoA after risk assessment and risk treatment planning, not before.
  • Use Annex A as a completeness check, not as an automatic implementation list.
  • Document both inclusion and exclusion decisions.
  • Keep implementation status honest. Do not mark controls implemented without evidence.
  • Link the SoA to control owners, evidence locations, and related risks.
  • Review the SoA when risks, controls, legal obligations, suppliers, or business scope change.

Audit guidance

Auditor focus

Look for evidence that the process operates in practice, not just that a document exists.

Auditors will check whether the SoA is complete, justified, current, and consistent with actual implementation.

Good audit tests:

  • Pick controls marked applicable and verify evidence exists.
  • Pick controls marked not applicable and test whether the justification is defensible.
  • Compare SoA status against control notes, policies, procedures, and evidence.
  • Check whether risk treatment decisions explain the control selection.
  • Check whether SoA changes are reviewed and approved.

Strong evidence

Strong evidence test

Prefer dated, owned, reviewed records that show the control or process operated for real cases.

  • SoA covers all Annex A controls.
  • Applicability decisions are linked to risks, obligations, and business context.
  • Exclusions have specific, defensible justifications.
  • Implementation status matches evidence.
  • Owners and evidence locations are defined.
  • SoA is reviewed after major risk or scope changes.

Weak evidence

Weak evidence warning

Weak evidence usually shows a document exists but does not prove operation, consistency, or effectiveness.

  • Controls marked not applicable with no explanation.
  • Controls marked implemented but no evidence exists.
  • SoA copied from a template and not tailored.
  • No link to risk assessment or risk treatment.
  • No owner or review date.
  • SoA conflicts with policies, procedures, or actual operations.

Common failures

Implementation watchouts

These are the fastest ways this topic fails in real ISMS work.

Failure Why it matters
Treating Annex A as automatically mandatory Wastes effort and misses risk-based reasoning
Excluding controls without justification Creates audit exposure
Marking planned controls as implemented Misrepresents ISMS maturity
Not updating the SoA after changes Control decisions become stale
No evidence location Audit becomes slow and weak
No control owner Accountability is unclear

Exam traps

Exam focus

Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.

  • Annex A controls are not automatically mandatory for every organization.
  • Clauses 4-10 cannot be excluded, but Annex A controls can be marked not applicable if justified.
  • The SoA does not replace risk assessment.
  • The SoA does not prove implementation by itself.
  • Cost alone is not a strong justification for excluding a relevant control.

KB-ready summary

Quick refresher

Use this section for last-day review and for explaining the topic to a control owner.

The Statement of Applicability is the formal Annex A control decision record. It documents applicability, justification, implementation status, related risks, evidence, and ownership. For exams, remember: Annex A is the control reference; the SoA is the decision and justification record.

Templates and checklists

  • Iso27001
  • Isms
  • Soa
  • Annex a
  • Risk treatment

Note Metadata

Aliases: SoA, ISO 27001 Statement of Applicability

Source: 01 Fundamentals/Statement of Applicability.md

Graph-sourced resources

Templates and evidence

Implementer templates

Working artifacts for control owners and operators.