Exam focus
The SoA is not just a control list. It records applicability, justification, implementation status, and links risk treatment to selected controls.
Topic Summary
The Statement of Applicability explains which Annex A controls apply, which do not, why those decisions were made, and whether selected controls are implemented.
Key Concepts
- Built from risk assessment and risk treatment decisions.
- Must justify included and excluded controls.
- Supports audit traceability.
- Does not replace the risk assessment or risk treatment plan.
Common Exam Traps
- Treating the SoA as optional.
- Treating the SoA as the same thing as the risk register.
- Assuming excluded controls need no justification.
Related Notes
- Iso27001
- Exam
Note Metadata
Source: 09-Exam-Preparation/EXAM-002-Statement-of-Applicability.md