Statement of Applicability (SoA) in ISO 27001 Certification

The Statement of Applicability (SoA) under ISO 27001:2022 documents all relevant security controls (Annex A Controls) and their implementation status.

It answers three key questions:

• Which controls from Annex A have been selected?
• What is their implementation status? (implemented, planned, excluded)
• Why were certain controls excluded?

Official Definition:
According to ISO/IEC 27001:2022, the SoA is a document that “includes all relevant security controls, together with their implementation status and justifications for inclusion or exclusion.”

The SoA serves as proof, a management tool, and a communication document.

Tip: Auditors often start their review with the SoA. A clean, up-to-date SoA can significantly shorten the audit process.

The SoA is usually presented in table format. Typical structure:

1. Conduct a Risk Assessment

Assess organizational risks: Which threats affect confidentiality, integrity, and availability?

2. Identify Relevant Controls

Go through all Annex A (ISO 27001:2022) controls and select those that address your identified risks.

3. Document Implementation Status

For each control, record whether it’s implemented, planned, or excluded.

4. Add Justifications and Evidence

Briefly explain why something is excluded or still in progress. Attach supporting evidence (e.g., policies, reports).

5. Keep It Updated

Review your SoA at least annually or whenever major organizational changes occur.

Real-World Example: Atlassian

The Atlassian Trust Center demonstrates how transparency builds trust. Atlassian publicly lists its ISO 27001 measures and documentation.

You can apply the same principle: use your SoA as an internal trust document – not just for auditors but also for clients and partners.

Tip: Treat your SoA like a living document. Implement version control to track changes over time.

At heyData, we help organizations manage their entire ISO 27001 journey, and the Statement of Applicability (SoA) plays a crucial role in that process. We don’t just provide a tool to document your SoA, we actively guide you in building it correctly and keeping it aligned with your evolving ISMS.

Our approach ensures that your SoA is not a static document but a dynamic reflection of your organization’s security posture.

With heyData, you can:

• Map Annex A controls to your risk assessment and policies.
• Generate your SoA based on your asset and risk register, ensuring each control is linked to tangible evidence.
• Track implementation progress and assign responsibilities across your teams.
• Maintain audit readiness, with version control and change tracking for every SoA update.
• Integrate ongoing improvements, feeding updates from audits and management reviews directly into your SoA.

In short, heyData helps you turn the SoA from a compliance requirement into a living management tool that connects governance, risk, and security operations in one place.

The Statement of Applicability (SoA) isn’t just a checklist – it’s the strategic backbone of your ISMS. It connects risks, measures, and responsibilities.

With a structured, transparent, and up-to-date SoA, you lay the foundation for successful ISO 27001 certification – and build trust with your clients.

What is the Statement of Applicability according to ISO 27001:2022?

The SoA is a mandatory document listing all 93 security controls (Annex A) and describing whether they are implemented, planned, or excluded.

Why is the SoA important?

It’s the main audit evidence showing that your ISMS is based on a conscious risk assessment.

How often should the SoA be updated?

At least once a year or after significant organizational changes.

Who is responsible for creating the SoA?

Typically the ISMS team or the appointed Data Protection or Information Security Officer.

Can the SoA be automated?

Yes. Tools like heyData help automate updates, version control, and audit exports.