← Back to Blog
ISO & compliance

What is a Statement of Applicability (SoA)?

ISMS Vision Team April 2026 8 min read

ISO/IEC 27001:2022 is the authoritative source for certification requirements. This article explains common practice language; your implementation and registrar may use slightly different templates.

Under ISO/IEC 27001, after you analyse information security risks and choose how to treat them, you need a clear record of which controls you actually apply and why. That record is usually called the Statement of Applicability—often shortened to SoA.

SoA in one sentence

The SoA is a structured list (typically aligned to Annex A of ISO/IEC 27002) where, for each control objective or control theme, you state whether it applies to your ISMS and give a justification—especially for exclusions or variants—so an auditor can follow your logic from risk treatment to implemented safeguards.

How the SoA differs from the risk register

The risk register answers: “What could go wrong, how bad is it, who owns it, and what are we doing about it?” The SoA answers: “Across the whole ISMS scope, which baseline controls are we claiming, which are out of scope or not applicable, and what is our rationale?” The two must agree: if you say a control is not applicable, your risk assessment should explain why the related risks are acceptable without it.

What each row usually contains

Mature SoA rows combine catalogue identity with narrative:

  • Control reference — for example an Annex A identifier or your internal ID mapped to the standard.
  • Title and summary — what the control is meant to do.
  • Applicable? — yes / no (or equivalent), with no vague blanks for in-scope systems.
  • Justification — why it applies, or why not; reference scope boundaries, compensating controls, or outsourcing where relevant.
  • Often (outside the SoA table itself) implementation evidence lives in procedures, tickets, test reports, and configuration baselines—the SoA points to the story; it does not replace evidence stores.

When it gets reviewed

The SoA is not a one-off certification artifact. It should be updated when scope, legislation, architecture, or risk outcomes change—otherwise the ISMS looks frozen while the business moves on.

Next steps: How to fill in a Statement of Applicability, and How ISMSVision helps with the SoA. For controls vocabulary, see what are controls?

SoA alongside risks and controls

ISMSVision keeps the SoA view tied to the same control library you use for risk treatment.

Risk Management