The ISO 27001 Statement of Applicability (SoA), explained
By ComplyBricks · Last reviewed Jul 12, 2026
The Statement of Applicability (SoA) is one of the most important documents in an ISO 27001 ISMS — and the one auditors reach for first. This guide explains what it is and what it must contain.
What the SoA is
The SoA is a documented record that lists every Annex A control and states, for each one:
- whether it is applicable to your organisation;
- the justification for including it (or for excluding it);
- and whether it is currently implemented.
ISO 27001 (clause 6.1.3) requires you to produce it as an output of risk treatment. It's the bridge between your risk assessment and the controls you actually operate.
Why it matters
- It's mandatory. You cannot be certified without one.
- It's the auditor's map. An assessor uses the SoA to check that your control selection is justified by real risks, and that the controls you claim are genuinely in place.
- It forces honest decisions. Marking a control "not applicable" obliges you to say why — which prevents quietly skipping controls that actually matter.
What it should contain
For each of the Annex A controls:
| Field | Purpose |
|---|---|
| Control reference & name | Identify the control |
| Applicable? (Yes/No) | Whether it's in scope for you |
| Justification | Why it applies, or the reason for exclusion |
| Implementation status | Implemented / in progress / planned |
| Reference to evidence | Where the supporting evidence lives |
SoA vs risk treatment plan
They're related but distinct: the risk treatment plan describes how you'll treat each risk and by when; the SoA is the standing statement of which controls apply and their status. Keep both current — the SoA is a living document, not a one-off certification artifact.
New to the standard? Start with the ISO 27001 guide for SMBs.
References
- ISO/IEC 27001:2022, clause 6.1.3 (information security risk treatment)
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →