Skip to content
RPResiliencePilot
← All resources
ISO 270015 min read·16 June 2026

What is a Statement of Applicability? The ISO 27001 document auditors open first

A plain-English guide to the ISO 27001 Statement of Applicability (SoA): what clause 6.1.3(d) requires, why it's central to certification, and how to keep it a living document.

If there's one document an ISO 27001 auditor reaches for before any other, it's the Statement of Applicability. Get it right and the rest of the audit has a clear backbone. Get it wrong and everything downstream wobbles.

What the SoA is

The Statement of Applicability (SoA) is required by clause 6.1.3(d) of ISO/IEC 27001. It is a single, controlled document that lists every Annex A control and, for each one, records:

  • whether it is applicable (included) or not (excluded),
  • the justification for that decision,
  • and whether the control is implemented and operating.

In the 2022 revision that means all 93 Annex A controls, across the Organizational, People, Physical and Technological themes.

Why it's the centre of gravity

The SoA is the map between your risk treatment and your controls. Your risk assessment identifies what needs treating; your risk treatment plan decides how; the SoA shows which Annex A controls you've selected to do it, and why any you've left out genuinely don't apply.

That's why an auditor opens it first: it tells them, in one place, the shape of your ISMS and whether your control selection is defensible. An exclusion with a weak justification ("we didn't think we needed it") is one of the fastest ways to a finding.

Where teams go wrong

  • Treating it as a one-off. The SoA is written once, then never touched as the business changes. By the next audit it no longer reflects reality.
  • Unjustified exclusions. Excluding a control because it's inconvenient rather than because it doesn't apply to your scope.
  • Status drift. The SoA says a control is implemented; the evidence says otherwise.

Keeping it living

A good SoA is maintained, not assembled. When a control's status or your risk picture changes, the SoA changes with it, and the supporting evidence is linked rather than re-gathered each cycle. Done that way, the document an auditor opens first is also the one that gives them the least to worry about, and preparing it stops being a scramble before every audit.

See ResiliencePilot in action.

See it on your own data and frameworks, with your security and data-residency questions answered.

Book a demoContact sales