Statement of Applicability

Overview

The Statement of Applicability (SoA) is one of the most critical documents in your ISMS. It lists all 93 Annex A controls from ISO 27001:2022 and records whether each control is applicable to your organisation, along with its current implementation status. Auditors will review your SoA to understand the scope of your security controls and verify that exclusions are justified.

In Standardise, the SoA module provides a structured interface for managing all 93 controls, organised into the four Annex A categories defined by the standard.

The Four Control Categories

ISO 27001:2022 groups the 93 Annex A controls into four thematic categories. Standardise presents these as filterable tabs so you can work through each category systematically:

• Organisational Controls (A.5) — 37 controls covering policies, roles, asset management, access control, supplier relationships, and information security in project management.
• People Controls (A.6) — 8 controls addressing screening, employment terms, awareness training, disciplinary processes, and responsibilities after termination.
• Physical Controls (A.7) — 14 controls for physical security perimeters, entry controls, securing offices, equipment protection, and secure disposal.
• Technological Controls (A.8) — 34 controls covering endpoint devices, access rights, secure authentication, malware protection, backups, logging, network security, and secure development.

Bulk Initialisation

When you first navigate to the SoA module, you will see an empty state with an Initialise 93 Controls button. Clicking this button bulk-inserts all 93 Annex A controls into your organisation's SoA with sensible defaults: each control is marked as applicable with a status of not implemented.

This operation is idempotent — if some controls already exist (for example, if two team members click the button simultaneously), no duplicates will be created. After initialisation, you can work through each control to set the correct applicability and implementation status.

Editing Controls

Click on any control row to open the edit dialog. For each control, you can set:

• Applicability — Whether the control is applicable or not applicable. If not applicable, you should record a justification for the exclusion (auditors will ask).
• Implementation Status — One of: not implemented, partially implemented, fully implemented, or not applicable.
• Justification — Free text explaining why the control is excluded or how it is implemented. This is especially important for non-applicable controls.

CSV Export

The SoA can be exported to CSV using the export button in the top toolbar. This produces a spreadsheet-ready file with all 93 controls, their categories, applicability status, implementation status, and justifications. This is useful for sharing with external auditors or importing into other compliance tools.

ISO 27001 Mapping

The Statement of Applicability is required by Clause 6.1.3 of ISO 27001:2022, which states that organisations must produce a Statement of Applicability that contains the necessary controls, justification for their inclusion, whether they are implemented or not, and justification for excluding any Annex A controls. The SoA is a mandatory output of the risk assessment process (Clause 6.1.2) and directly feeds into your risk treatment plan.