Plain-language meaning
The Statement of Applicability, usually called the SoA, is the ISO/IEC 27001 control decision record.
It explains which Annex A controls apply, which do not apply, why those decisions were made, and what the implementation status is.
Why this matters
The SoA prevents Annex A from becoming a blind checklist. It ties control decisions back to Risk Assessment, risk treatment, legal obligations, contractual requirements, business context, and the organization’s Information Security Management System.
If a control is excluded without a clear justification, that is weak evidence and can become a nonconformity.
What a useful SoA should include
| Field | Purpose |
|---|---|
| Control reference | Identifies the Annex A control |
| Control name | States the control being assessed |
| Applicability | Shows whether the control applies |
| Justification | Explains why the control is included or excluded |
| Implementation status | Shows whether the control is implemented, partial, planned, or not implemented |
| Related risks | Connects the control to the risk register |
| Related documents | Links policies, procedures, standards, or playbooks |
| Evidence location | Points auditors to proof |
| Control owner | Shows accountability |
Implementation guidance
Implementer focus
Turn this section into owners, procedures, records, review cadence, and evidence locations. A control is not implemented until it operates repeatedly.
- Build the SoA after risk assessment and risk treatment planning, not before.
- Use Annex A as a completeness check, not as an automatic implementation list.
- Document both inclusion and exclusion decisions.
- Keep implementation status honest. Do not mark controls implemented without evidence.
- Link the SoA to control owners, evidence locations, and related risks.
- Review the SoA when risks, controls, legal obligations, suppliers, or business scope change.
Audit guidance
Auditor focus
Look for evidence that the process operates in practice, not just that a document exists.
Auditors will check whether the SoA is complete, justified, current, and consistent with actual implementation.
Good audit tests:
- Pick controls marked applicable and verify evidence exists.
- Pick controls marked not applicable and test whether the justification is defensible.
- Compare SoA status against control notes, policies, procedures, and evidence.
- Check whether risk treatment decisions explain the control selection.
- Check whether SoA changes are reviewed and approved.
Strong evidence
Strong evidence test
Prefer dated, owned, reviewed records that show the control or process operated for real cases.
- SoA covers all Annex A controls.
- Applicability decisions are linked to risks, obligations, and business context.
- Exclusions have specific, defensible justifications.
- Implementation status matches evidence.
- Owners and evidence locations are defined.
- SoA is reviewed after major risk or scope changes.
Weak evidence
Weak evidence warning
Weak evidence usually shows a document exists but does not prove operation, consistency, or effectiveness.
- Controls marked not applicable with no explanation.
- Controls marked implemented but no evidence exists.
- SoA copied from a template and not tailored.
- No link to risk assessment or risk treatment.
- No owner or review date.
- SoA conflicts with policies, procedures, or actual operations.
Common failures
Implementation watchouts
These are the fastest ways this topic fails in real ISMS work.
| Failure | Why it matters |
|---|---|
| Treating Annex A as automatically mandatory | Wastes effort and misses risk-based reasoning |
| Excluding controls without justification | Creates audit exposure |
| Marking planned controls as implemented | Misrepresents ISMS maturity |
| Not updating the SoA after changes | Control decisions become stale |
| No evidence location | Audit becomes slow and weak |
| No control owner | Accountability is unclear |
Exam traps
Exam focus
Read these as distractor patterns. Exams often test scope, timing, ownership, applicability, and evidence quality.
- Annex A controls are not automatically mandatory for every organization.
- Clauses 4-10 cannot be excluded, but Annex A controls can be marked not applicable if justified.
- The SoA does not replace risk assessment.
- The SoA does not prove implementation by itself.
- Cost alone is not a strong justification for excluding a relevant control.
Related controls and concepts
- Annex A and the Statement of Applicability
- ISO 27001 Clauses 4-10 vs Annex A
- Risk Assessment
- Control Attributes and Risk Treatment Effects
- ISO27002 Control Attributes
- Internal Audit
- Management Review
KB-ready summary
Quick refresher
Use this section for last-day review and for explaining the topic to a control owner.
The Statement of Applicability is the formal Annex A control decision record. It documents applicability, justification, implementation status, related risks, evidence, and ownership. For exams, remember: Annex A is the control reference; the SoA is the decision and justification record.
Templates and checklists
- Iso27001
- Isms
- Soa
- Annex a
- Risk treatment
Note Metadata
Aliases: SoA, ISO 27001 Statement of Applicability
Source: 01 Fundamentals/Statement of Applicability.md
Graph-sourced resources
Templates and evidence
Implementer templates
Working artifacts for control owners and operators.
Related Notes
- ISO27001 ISMS KB - Start Here
- Annex A and the Statement of Applicability
- Control Attributes and Risk Treatment Effects
- Field of Application, Usage, and Compliance
- Information Security Management System
- Information Security Policy
- Internal Audit
- ISO 27001 Clauses 4-10 vs Annex A
- ISO27002 Control Attributes
- Management Review
- Risk Assessment
- ISO 27001 A.5.10 - Acceptable Use of Information and Other Associated Assets
- ISO 27001 A.5.12 - Classification of Information
- ISO 27001 A.5.14 - Information Transfer
- ISO 27001 A.5.19 - Information Security in Supplier Relationships
- ISO 27001 A.5.20 - Addressing Information Security Within Supplier Agreements
- ISO 27001 A.5.21 - Managing Information Security in the ICT Supply Chain
- ISO 27001 A.5.23 - Information Security for Use of Cloud Services
- ISO 27001 A.5.31 - Legal, Statutory, Regulatory and Contractual Requirements
- ISO 27001 A.5.5 - Contact with Authorities
- ISO 27001 A.5.6 - Contact with Special Interest Groups
- ISO 27001 A.5.7 - Threat Intelligence
- ISO 27001 A.5.8 - Information Security in Project Management
- ISO 27001 A.5.9 - Inventory of Information and Other Associated Assets
- A.5 Organizational Controls MOC
- ISO 27001 A.6.1 - Screening
- A.6 People Controls MOC
- Quiz Review - Control Attributes and Compliance
- ISO 27001 A.7.1 - Physical Security Perimeters
- ISO 27001 A.7.11 - Supporting Utilities
- ISO 27001 A.7.5 - Protecting Against Physical and Environmental Threats
- ISO 27001 A.7.9 - Security of Assets Off-Premises
- A.7 Physical Controls MOC
- A.5.7 Audit Evidence Pack
- A.5.8 Audit Evidence Pack
- ISO 27001 A.8.12 - Data Leakage Prevention
- ISO 27001 A.8.13 - Information Backup
- ISO 27001 A.8.14 - Redundancy of Information Processing Facilities
- ISO 27001 A.8.15 - Logging
- ISO 27001 A.8.16 - Monitoring Activities
- ISO 27001 A.8.19 - Installation of Software on Operational Systems
- ISO 27001 A.8.20 - Networks Security
- ISO 27001 A.8.21 - Security of Network Services
- ISO 27001 A.8.22 - Segregation of Networks
- ISO 27001 A.8.23 - Web Filtering
- ISO 27001 A.8.24 - Use of Cryptography
- ISO 27001 A.8.25 - Secure Development Life Cycle
- ISO 27001 A.8.26 - Application Security Requirements
- ISO 27001 A.8.27 - Secure System Architecture and Engineering Principles
- ISO 27001 A.8.3 - Information Access Restriction
- ISO 27001 A.8.30 - Outsourced Development
- ISO 27001 A.8.31 - Separation of Development Test and Production Environments
- ISO 27001 A.8.33 - Test Information
- ISO 27001 A.8.4 - Access to Source Code
- ISO 27001 A.8.6 - Capacity Management
- ISO 27001 A.8.7 - Protection Against Malware
- ISO 27001 A.8.8 - Management of Technical Vulnerabilities
- ISO 27001 A.8.9 - Configuration Management
- A.8 Technological Controls MOC
- A.6 People Controls Implementation Guide
- ISMS Implementation Roadmap
- ISO 27001 Implementer Guide
- Internal Audit Execution Guide
- ISO 27005 Risk Management Guide
- ISO 27005 Risk Process Notes
- EXAM-001 - Clauses 4-10 vs Annex A
- EXAM-002 - Statement of Applicability
- EXAM-003 - ISO 27002 Control Attributes
- ISO 27001 Knowledge Base
- ISO 27001 Requirements to Implementation and Audit Map
- ISO 27002 Control Attributes Evidence Map
- ISO 27005 Knowledge Base
- Asset Threat Vulnerability Risk Control Evidence Data Model
- Authentication Exception and Compensating Control Record
- Template - Evidence Request List
- Legal and Contractual Requirements Register
- Template - Risk and Control Mapping Table
- Template - Statement of Applicability Support Table
- Supplier Security Risk Assessment
- Vulnerability Exception and Risk Acceptance Record
- Vulnerability Management Procedure
- ISO 27001 Overview