The SoA is the heart of your ISMS. It lists all 93 Annex A controls from ISO 27001:2022 and documents which are applicable, why, and their implementation status.
Working with the SoA
Go to ISO 27001 → Statement of Applicability. You'll see all controls organized by the four themes:
- Organisational (37 controls)
- People (8 controls)
- Physical (14 controls)
- Technological (34 controls)
For each control, set:
| Field | Description |
|---|---|
| Applicable | Yes or No — with justification if excluded |
| Implementation Status | Not Started, Partial, Implemented, Not Applicable |
| Implementation Notes | How the control is implemented in your organisation |
| Evidence | References to documents or systems that demonstrate implementation |
Use the filter and search to quickly find specific controls. The SoA progress bar shows overall implementation coverage.