AI-27001Request a free evidence review

SoA guide

How to write a Statement of Applicability

To write a Statement of Applicability properly, start with scope, risk treatment, and real control ownership. A good SoA explains why a control applies, how it is handled, and where the evidence sits.

8 min readISO 27001 owners, consultants, IT leads, and teams drafting or cleaning up an SoA2026-04-25

Start with the direct answer.

To write a Statement of Applicability, start with the current scope of the ISMS, the risk assessment and treatment decisions, and the control set you are using. Then document which controls are applicable, why they are applicable or excluded, how they are implemented, and where the supporting evidence or policy sits.

The Statement of Applicability should not read like a pasted Annex A table. It should read like a current management record that explains the organisation's control choices clearly enough for internal owners, auditors, and reviewers to follow.

What the SoA is actually doing.

The SoA sits between the abstract control set and the reality of your implementation. It explains which controls matter in your environment, how the organisation treats them, and where to look next if someone wants to test the answer.

That is why a weak SoA causes more pain than its size suggests. If the logic is vague or the links to evidence are stale, teams end up reconstructing the story manually every time they need to explain their controls.

What to include in a useful SoA.

The exact table format can vary, but the underlying questions should stay clear. A reviewer should be able to read the SoA and understand what the control is doing in the ISMS, not just where it sits in the numbering scheme.

  • Control identifier and clear control name
  • Applicability decision
  • Rationale for inclusion or exclusion
  • Implementation status or implementation note
  • Owner or accountable function where appropriate
  • Reference to linked policy, process, record, or evidence location

Common mistakes to avoid.

The easiest mistake is to treat the SoA as a one-time spreadsheet task. The second is to keep justifications so generic that they stop being useful. The third is to let the SoA drift away from current risk treatment and evidence.

In practice, the SoA works best when it is reviewed as part of the live operating model rather than as a side document updated only before audit.

Free review

Not ready to book? Get a practical evidence next step instead.

Pick the lower-friction option that fits where you are. We’ll use your page and campaign context to understand the request without adding tracking clutter to the visible URL.

We’ll look at one evidence flow and send practical gaps or next steps.

12
Choose an offer

Send this short request now, or add optional sales context first if it helps route the reply.

Prefer to talk it through?

If your SoA feels inherited or overgrown, compare notes.

A lot of SoAs look finished until someone asks for the current evidence and rationale behind them. If you are cleaning one up, I’m happy to compare notes.

See the free ISO 27001 evidence review

Related reading

More ISO/IEC 27001 explainers.

These pieces are meant to help technical teams, advisers, and internal owners make sense of the 2022 edition, Annex A, and how older material should be reviewed.

Telecoms insight

What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

The Telecoms Access Review is not an ISO 27001 rule, but it changes the operating environment for ISPs, altnets, wholesale buyers, and infrastructure users. That makes clean evidence ownership more important.

7 min readISP, altnet, wholesale telecoms, and TSA compliance teams
Read What Ofcom's Telecoms Access Review 2026-31 means for ISP compliance evidence

Incident evidence insight

Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

When a perimeter firewall zero-day is exploited before every team has patched, the compliance question becomes practical: can you prove exposure, ownership, mitigation, customer impact, and management review quickly enough?

7 min readMSPs, ISPs, SaaS security teams, and ISO 27001 owners
Read Palo Alto zero-days are an ISO 27001 evidence problem, not just a patching problem

AI-27001 is a product of SW DIGITAL SERVICES LIMITED, registered in England and Wales. Company number 17178287.