ISO 27001 Free Resources Center
ISO 27001 Statement of Applicability (SoA)
Whether you’re starting your ISO 27001 project or enhancing an existing ISMS, STANDARD ONE provides essential templates, tools, and guides to empower your success — all at no cost.
ISO 27001 Statement of Applicability: Aligning Controls with Risks
Link your risks to controls with clarity and precision
Why the SoA Matters
The Statement of Applicability (SoA) is a required document under ISO/IEC 27001 Clause 6.1.3. It lists which Annex A controls are applicable to your ISMS, the justification for inclusion or exclusion, and the implementation status.
The SoA demonstrates that your security controls are risk-driven and aligned with your organization’s needs — a key focus during certification audits.
Key SoA Development Steps
1️⃣ Review All Annex A Controls
Systematically evaluate each control’s relevance to your ISMS scope and identified risks.
2️⃣ Determine Applicability
For each control, decide if it’s applicable and document the decision.
3️⃣ Justify Each Decision
Provide reasoning for including or excluding each control.
4️⃣ Record Implementation Status
Note whether the control is implemented, in progress, or not started.
Common Pitfalls
- Using generic justifications for control decisions
- Failing to keep the SoA updated as the ISMS evolves
- Inconsistent alignment between the risk assessment and SoA
Your Free Resource
ISO 27001 Statement of Applicability Template
A ready-to-use template covering all Annex A controls with fields for applicability, justification, and status.
Where should we send this?:
Why Choose STANDARD ONE
We help organizations develop SoAs that are practical, defensible, and aligned with both risks and business objectives.
