The structure of the Statement of Applicability includes the following elements:

1. A list of all controls from ISO 27001 Annex A.
2. Identification of which controls are applicable and which are not.
3. Justification for controls marked as applicable.
4. Justification for controls marked as not applicable.
5. Implementation methods for applicable controls.
6. Status of each control.