What is Statement of Applicability (SoA)?
The ISO 27001 document that says which controls apply, why, and whether they are in place.
Statement of Applicability (SoA): definition
The SoA connects an organization risk assessment to the controls it has chosen. For ISO 27001, it addresses the Annex A controls, documenting for each whether it applies, the justification for inclusion or exclusion, and its current status. It is one of the first documents an ISO 27001 auditor reviews because it shows the scope of the information security management system and the reasoning behind every control decision.
- Lists each control with an include/exclude decision and justification
- Links controls to the risks and requirements they address
- Records implementation status of each applicable control
- A mandatory, foundational ISO 27001 document reviewed by auditors
How Fintra handles it
Fintra AI governance maintains the mapping of controls to risks and their status, which is exactly what a Statement of Applicability captures - so the SoA reflects the live state of controls rather than a document that drifts out of date. Inclusion and exclusion rationales are recorded against each control, keeping the SoA audit-ready.
- Control applicability, justification, and status kept current
- Controls linked to the risks they address
- SoA reflects live control state for audit
Worked example
| Control | Applicable? | Justification | Status |
|---|---|---|---|
| Access control policy | Yes | Regulatory + risk of unauthorized access | Implemented |
| Cryptography | Yes | Protects data in transit and at rest | Implemented |
| Physical media handling | No | Fully cloud-hosted, no physical media | Excluded |
Frequently asked questions
What is the purpose of a Statement of Applicability?
It documents which security controls apply to an organization, why each is included or excluded, and their implementation status. For ISO 27001 it defines the scope of controls and shows the reasoning behind them, making it a central artifact auditors examine early.
Is the Statement of Applicability mandatory for ISO 27001?
Yes - the SoA is a required document under ISO 27001. Certification cannot proceed without it, because it demonstrates that the organization has considered each control and made a justified decision about its applicability and status.
What is the difference between the SoA and the risk treatment plan?
The SoA lists the controls and their applicability and status; the risk treatment plan describes how identified risks will be addressed, including timelines and responsibilities. They are related - the treatment plan drives control decisions that the SoA records - but serve different purposes.
How often should the SoA be updated?
Whenever controls, risks, or scope change, and at least during periodic reviews. A stale SoA undermines the ISMS and raises audit findings. Keeping control status live, as Fintra does, means the SoA reflects reality rather than a point-in-time snapshot.
Keep going
Stay in the loop
One practical finance briefing a week - new guides, checklists, and benchmarks.
See how Fintra handles the numbers behind this term
Fintra is the AI Finance Operating System for SMBs - accounting, planning, payroll, equity, and AI governance on one shared data model, with a named human approving anything consequential. Free to start, no card required.
Talk to us