The Cyber Academy take
The SoA is the controlled document that tells the auditor which Annex A controls apply to you, why, where the evidence lives. Mandatory under ISO 27001. Inconsistency between SoA, risk treatment plan and actual operations is the most common cause of non-conformities at stage 2 audit.
Why ISO 27001 makes the SoA mandatory
The Statement of Applicability is the bridge between your risk work and the controls an auditor will actually inspect. ISO/IEC 27001 leaves the body of the standard deliberately open on which controls you must run, because the right answer depends on your context and your risks. The SoA is where you close that gap: for every reference control in Annex A, you record whether it applies, the justification for including or excluding it, whether it is already implemented, and where the supporting evidence sits. It is one of the few documents the standard names explicitly as required output, which is why no certification audit proceeds without it.
A useful way to think about it is that the SoA turns a generic control catalogue into a statement about your organisation specifically. The Annex A reference set is the same for everyone. Your SoA is not. Two certified companies of similar size can legitimately exclude different controls, because their risk assessments and their operating context differ. The document exists to make those choices visible and defensible rather than implicit.
How the SoA relates to risk assessment and risk treatment
The SoA does not stand alone. It is the downstream product of the risk assessment and the risk treatment plan, and the three have to agree. The risk assessment identifies what could go wrong. The risk treatment plan decides what to do about each risk, including which controls to apply. The SoA then declares, control by control, what that decision means against the Annex A reference set. When an auditor reads the SoA, they are really checking that the line from a documented risk, to a treatment decision, to an applied control, to actual evidence holds together end to end.
Exclusions deserve particular care. Marking a control as not applicable is legitimate, but only with a stated reason tied to your context. "We do not develop software in-house" is a defensible basis for narrowing certain development controls. "We did not get to it" is not an exclusion, it is a gap. Auditors probe exclusions precisely because they are where organisations sometimes hide unfinished work.
What practitioners actually maintain
Treating the SoA as a living register rather than a one-off spreadsheet is what separates a smooth surveillance audit from a scramble. In practice, maintaining it well looks like this:
- Keep one row per Annex A control, with applicability, justification, implementation status and an evidence pointer that an auditor can follow without you in the room.
- Re-cut the SoA whenever the risk assessment or treatment plan changes, so the three documents never quietly diverge.
- Tie each evidence pointer to something real and current, a policy, a configuration, a ticket, a log, not a promise to produce it later.
- Review the document on a fixed cadence and at management review, not only in the weeks before an audit.
- When transitioning between versions of the standard, remap the SoA against the revised control set and confirm nothing fell through merged or newly introduced controls.
Done this way, the SoA stops being audit paperwork and becomes the index to your whole information security management system. It is the first document an experienced auditor asks for, because it tells them where everything else lives.
Frequently asked questions
01Is a Statement of Applicability mandatory for ISO 27001?
Yes. The SoA is one of the documents ISO/IEC 27001 explicitly requires. A certification audit cannot be completed without it, because it is how the auditor knows which Annex A controls you claim to apply and why.
02What is the difference between the SoA and the risk treatment plan?
The risk treatment plan decides what you will do about each identified risk, including which controls to apply and on what timeline. The SoA is the control-by-control declaration against the Annex A reference set, recording applicability, justification, status and evidence. They must stay consistent with each other.
03Can I exclude controls in the SoA?
Yes, provided you give a justification grounded in your context and risk assessment. A control that genuinely does not apply to your operations can be excluded; a control you simply have not implemented yet is a gap, not an exclusion, and auditors test the difference.
04How often should the SoA be updated?
Whenever the risk assessment or risk treatment plan changes, and at each management review. Treating it as a living document keeps it aligned with operations and avoids the drift that produces audit findings.
05Who owns the Statement of Applicability?
It is a controlled document under the ISMS, so it sits with whoever owns the management system, typically the information security manager or ISMS lead, with sign-off through management review. Control owners feed in the implementation status and evidence for their areas.