How ISMSVision helps with the Statement of Applicability

In ISMSVision, the SoA is not a disconnected spreadsheet. The Statement of Applicability tab in Risk Management reads from the same control library you maintain under the Controls tab—each control can carry applicability and justification fields that feed the SoA table auditors expect to see alongside your risk treatment story.

Where to work in the app

After opening Risk Management in the authenticated app (/app/risk-management):

• Use Controls to create or import controls, set Annex references, categories, status, effectiveness, monitoring cadence, and the narrative that describes implementation.
• Open Statement of Applicability to see a consolidated table: control reference, title, whether the control is marked applicable, and the justification text—aligned to the “for each control: does it apply and why?” question from ISO 27001 guidance.
• Use Risks to link risks to those same controls so residual ratings and SoA applicability stay mutually explainable.

Why this reduces drift

When SoA rows are manually copied from the control register, teams forget to update one side after a scope change. ISMSVision keeps a single library as the source of control identity; the SoA view reflects current applicability flags and text, while the Overview tab surfaces SoA-oriented summary metrics with the rest of your risk posture.

What you still bring as an organisation

Software cannot choose your scope or write legally accurate justifications for you. Owners still need to agree on “applicable vs not,” attach proportionate evidence in your document or ticket system, and run management review. ISMSVision shortens the path from decision to recorded state—and keeps risk, controls, and SoA in one workspace.

Background reading: What is a SoA? and How to fill in an SoA. For the full module layout, see Managing risks in ISMSVision (detailed guide).