A Statement of Applicability (SoA) is a core document in ISO/IEC 27001 that lists all the security controls from Annex A of the standard and states:
- Which controls are applicable to your organization
- Why each control is included or excluded
- The current implementation status of each control
The SoA serves as both a roadmap and evidence of how your organization addresses information security risks. It helps auditors verify that you’re applying the appropriate controls based on your risk assessment, business context, and regulatory requirements.
In short, the SoA links your risk management strategy to actual security measures and is essential for both internal governance and external audits.
