The structure of the Statement of Applicability includes:

- Listing all controls from ISO 27001 Annex A.
- Defining which controls are applicable and which are not applicable.
- Providing justification for controls marked as applicable.
- Providing justification for controls marked as not applicable.
- Defining implementation methods for applicable controls.
- Defining the status of each control.