The ISO 27001 Statement of Applicability, done right

February 18, 2026

The SoA is the single document a certification auditor measures everything else against. Get it right and the audit goes smoothly.

What the SoA is

ISO 27001 clause 6.1.3(d) requires a Statement of Applicability: for every control in the Annex A catalogue, you declare whether it applies, the implementation status, and the justification — including why any control is excluded. It is the contract between your ISMS and the standard.

What it must contain

• Every Annex A control, marked applicable or not applicable.
• For applicable controls: the implementation status and a reference to the evidence.
• For excluded controls: a justification an auditor will accept — not just "not relevant."
• A link to the risk treatment that drove each decision.

Justifying exclusions

Exclusions are where audits get challenged. "We have no developers, so secure-development controls are not applicable" is defensible. "We did not get to it" is not — that is a gap, not an exclusion. Every "not applicable" needs a reason rooted in your actual scope and risk treatment.

Keep it living

The most common failure is treating the SoA as a one-time spreadsheet produced for the audit and never touched again. It should update whenever a control's status changes, whenever scope changes, and whenever new risks are treated. A SoA that tracks the real state of your controls turns the audit into a confirmation rather than a discovery exercise.