Chat with Experta

User
What is the structure of Statement of Applicability?
Experta
At the minimum, the Statement of Applicability (SoA) compliant with ISO 27001:2022 must include the following elements:
- Lists of all controls from Annex A
- Additional controls not included in Annex A that the organization deems necessary to implement
- Decision on whether a control is applicable or not
- Justification for including the controls (if they are marked as applicable) or justification for their exclusion (if they are marked as not applicable)
- Whether each control is implemented or not.

A good practice is to include also information on how each applicable control is to be implemented.

Note: The SoA will be the central document during the ISO 27001 certification audit because the auditor will use this document as a reference for which controls are to be implemented, why, and how.

Examples:
Here is what a Statement of Applicability could look like for a couple of controls: https://support.advisera.com/media/images/iso-27001/statement-of-applicability-controls.png