← Glossary·Audit

Statement of Applicability (SoA)

Also known as: SoA
ISO 27001

ISO 27001 document declaring which Annex A controls apply, why, and how — central artefact for certification.

The Statement of Applicability (SoA) is a mandatory ISO 27001 document listing every Annex A control with its applicability decision, justification, and implementation status. It is the auditor's primary navigation document for the certification audit.

Why it matters
A weak SoA — exclusions without justification, ‘in progress’ status without dates — is the single most common cause of major nonconformities at Stage 2.

Related terms

ISO 27001 Annex A
The catalogue of 93 reference controls (2022 edition) across Organisational, People, Physical, and Technological themes.
ISO/IEC 27001
International standard for an Information Security Management System (ISMS) with 93 Annex A controls.
ISMS (Information Security Management System)
A documented, risk-based management system for information security — the object of ISO 27001 certification.

Does your program actually cover Statement of Applicability (SoA)?

Run a free ComplianceIQ audit against ISO 27001 and we'll surface every gap on this — and the other controls auditors flag — with the exact clause references to fix.

Free ISO 27001 auditBack to glossary