Compliance365 Compliance365

Inside a Statement of Applicability (SoA)

The SoA connects your risks to Annex A controls and explains what you’ve implemented, why, and how it’s evidenced. Get this right and audits go smoothly; get it wrong and you’ll chase evidence for months.

What auditors look for

  • Traceability: each control selected (or excluded) links back to your risk context.
  • Implementation detail: where the control “lives” (policy, tech, process).
  • Evidence pointers: screenshots, exports, logs, approvals, and review cadence.
  • SoA currency: last updated date, owner, change notes.

Scope & risk

State the scope, context, and risk method used. Keep it short but specific.

Selection rationale

Why each Annex A control is included/excluded and any compensating controls.

Evidence map

Point to SharePoint folders and monthly snapshots from Entra/Defender/Purview.

Make it maintainable

  1. Keep the SoA as a table in SharePoint with required fields & versioning.
  2. Automate monthly evidence exports (Power Automate) into dated folders.
  3. Review a small set of controls each month (rolling internal audit).
See our automated SoA tracker Back to resources