Inside a Statement of Applicability (SoA)

The Statement of Applicability (SoA) is the beating heart of any management system (ISO 27001. ISO 42001, ISO 27701). It connects your risks to the Annex A controls, explaining what’s implemented, what’s excluded, and why. A well-built SoA proves that your information security controls are intentional, effective, and auditable.

ISO 27001 Annex A Risk alignment Evidence mapping Automation in M365 Auditor expectations

See our automated SoA tracker Back to resources

What is the Statement of Applicability?

The SoA is a central document in ISO 27001 that lists every control in Annex A and declares whether it is applied, excluded, or substituted with a compensating control. Each decision must be justified and supported by evidence. It’s where auditors begin — and often where they form their overall assurance opinion.

Connects risk to control

Shows how each chosen control addresses identified risks.

Defines implementation

Documents where each control “lives” — in policy, process, or technology.

Enables auditability

Provides the evidence path and review cadence for every control.

Why the SoA matters to your ISO 27001 certification

Transparency for auditors

A current SoA gives auditors confidence in your control design and maturity.

Clarity for management

Summarises what’s in scope, what’s excluded, and the residual risk rationale.

Efficiency for teams

A structured SoA prevents duplicated effort and streamlines evidence collection.

What auditors look for

Traceability: each selected / excluded control links back to the risk register.
Implementation detail: where and how the control operates (policy, tech, or process).
Evidence pointers: screenshots, exports, approvals, and review logs.
Currency: version, owner, and date of last update clearly shown.

Designing a maintainable SoA

The best SoAs live — not hide — inside your existing toolset. A SharePoint list or Excel-in-SharePoint with versioning beats a static Word file. It keeps ownership clear and evidence current.

Scope & risk

State scope, context, and risk methodology. Keep it concise but specific.

Selection rationale

Explain inclusions, exclusions, and any compensating controls.

Evidence map

Reference SharePoint folders and monthly snapshots from Defender / Entra / Purview.

Make it maintainable

Store the SoA as a SharePoint list with versioning and column validation.
Automate monthly evidence exports with Power Automate flows.
Rotate internal review of 10–15 controls per month for continual assurance.

SoA fields that work

Control ID & title

E.g. A.5.1 – Information Security Policies

Risk link / rationale

Cross-reference to the relevant risk in your register.

Implementation status

Implemented / Partially / Planned / Excluded.

Control owner

Person / team responsible for operation and review.

Evidence location

SharePoint path + link to screenshots or exports.

Review cadence

Monthly, quarterly or annually based on risk criticality.

Statement of Applicability FAQs

Is the SoA mandatory?

Yes — it’s a core requirement of ISO 27001 Clause 6.1.3 and Annex A.

How often should it be reviewed?

At least annually or whenever scope, risk or controls change.

Can we reuse it for other frameworks?

Yes — map controls to ISO 27701, ISO 42001, NIST CSF or SOC 2 to reduce duplicate effort.