Glossary · Compliance concepts
What is Statement of Applicability?
Also known as: SoA, SOA
A Statement of Applicability (SoA) is the ISO 27001 and ISO 42001 document that lists every Annex A control and records whether each one is applicable or excluded, the justification for that decision, and its implementation status. It is the cornerstone document an auditor reviews to understand the ISMS at a glance.
Key takeaways
- The SoA maps every Annex A control to an applicable-or-excluded decision with a written justification.
- It is one of the first and most scrutinized documents in an ISO 27001 or ISO 42001 audit.
- It is produced from the risk assessment and risk treatment outputs, not written in isolation.
- Each exclusion must be justified; unjustified exclusions are a common audit finding.
- It is a living document that is updated as controls and risks change.
What the SoA is and why it matters
The Statement of Applicability is a required document in both ISO 27001 and ISO 42001. It enumerates every control in the standard's Annex A and, for each one, states whether it applies, why, and how far it has been implemented.
It matters because it is effectively the index of the entire management system. An auditor can read the SoA and immediately see which controls the organization claims, which it has excluded, and the reasoning behind every choice. For that reason it is often the first document requested in an audit.
The SoA also forces discipline: an organization cannot quietly skip a control, because every Annex A item must be accounted for with an explicit, justified decision.
What each SoA entry contains
For every Annex A control, a well-formed SoA records the following:
- The control reference and name
- Whether it is applicable or excluded
- A justification for inclusion or exclusion
- The implementation status (for example: implemented, in progress, planned)
- A reference to where the control is documented or evidenced
The applicability decisions trace back to the risk assessment and risk treatment work. A control is typically applicable because it addresses an identified risk, and excluded only when no relevant risk exists. The Annex A controls catalog defines the full list the SoA must cover.
Who produces it and how it is used in audit
The SoA is usually owned by the person running the ISMS or AIMS, drawing on input from control owners across the organization. It is not a one-time deliverable; it is revised whenever risks, controls, or scope change.
During certification, the auditor uses the SoA as a checklist, sampling controls marked applicable and asking for evidence that they operate as claimed. A mismatch between the SoA and reality, or an applicable control with no supporting evidence, is a finding.
Keeping the SoA aligned with reality is easier when control evidence is gathered continuously rather than at audit time, which is the goal of continuous control monitoring.
Common pitfalls
The classic mistake is excluding controls without a defensible justification, or excluding them simply because they are inconvenient to implement. Auditors challenge weak justifications directly.
A second pitfall is letting the SoA drift out of sync with the actual environment, so it lists controls as implemented that have since lapsed. A third is treating it as a standalone document disconnected from the risk assessment that should drive its content.
Frequently asked questions
- Can I exclude an Annex A control from my SoA?
- Yes, but every exclusion must carry a justification explaining why the control does not apply to your scope or risks. Excluding a control for convenience, without a defensible reason, is a common audit finding.
- How is the SoA different from a risk treatment plan?
- The risk treatment plan describes how you will address specific risks, while the SoA maps every Annex A control to an applicability decision. They are related: the treatment decisions inform which controls the SoA marks as applicable.
- How often should the SoA be updated?
- Whenever scope, risks, or controls change, and at minimum it should be reviewed during periodic management reviews and internal audits to confirm it still reflects reality.
- Is a Statement of Applicability required for ISO 42001 too?
- Yes. ISO 42001 follows the same management-system structure as ISO 27001, including a Statement of Applicability covering its AI-specific Annex A controls.