UnixTime

Research Note

EXAM-002 - Statement of Applicability

The Statement of Applicability explains which Annex A controls apply, which do not, why those decisions were made, and whether selected controls are implemented.

On this page

Exam focus

The SoA is not just a control list. It records applicability, justification, implementation status, and links risk treatment to selected controls.

Topic Summary

The Statement of Applicability explains which Annex A controls apply, which do not, why those decisions were made, and whether selected controls are implemented.

Key Concepts

  • Built from risk assessment and risk treatment decisions.
  • Must justify included and excluded controls.
  • Supports audit traceability.
  • Does not replace the risk assessment or risk treatment plan.

Common Exam Traps

  • Treating the SoA as optional.
  • Treating the SoA as the same thing as the risk register.
  • Assuming excluded controls need no justification.
  • Iso27001
  • Exam

Note Metadata

Source: 09-Exam-Preparation/EXAM-002-Statement-of-Applicability.md