ISO 27001 · STATEMENT OF APPLICABILITY

The Statement of Applicability, generated for you.

The SoA is the document your ISO 27001 certifier opens first — all 93 Annex A controls, what applies, why, and where each one stands. Cybereen builds it from your live evidence and exports it in one click.

93 Annex A controls · one-click export

What is a Statement of Applicability?

A Statement of Applicability (SoA) is the ISO 27001 document that lists every Annex A control, states whether it applies to your organisation, justifies each inclusion or exclusion, and records implementation status. It is the bridge between your risk assessment and your controls — and a required output of certification (clause 6.1.3).

Most teams maintain it by hand in a spreadsheet and dread keeping it current. Cybereen generates it from live data instead, so the SoA is always export-ready for your certifier. See ISO 27001 on Cybereen →

What goes in your SoA

Cybereen keeps each field current as you work — no spreadsheet reconciliation.
CONTROLS

All 93 Annex A controls

Every ISO 27001:2022 control across the four themes — organisational, people, physical and technological.

APPLICABILITY

Applicable, with justification

Mark each control included or excluded and capture the justification your auditor will ask for.

STATUS

Implementation status

Where each control stands — backed by the evidence attached to it, not a stale note in a cell.

EXPORT

One-click export

Generate the SoA from live data and hand your certifier a current document, not last quarter's snapshot.

See reporting →

Statement of Applicability, answered.

What is a Statement of Applicability?
A Statement of Applicability (SoA) is the ISO 27001 document that lists every Annex A control, says whether it applies to your organisation, justifies why it is included or excluded, and records its implementation status. It is the bridge between your risk assessment and your controls — and the first document most certifiers open.
Is the Statement of Applicability mandatory for ISO 27001?
Yes. The SoA is a required output of ISO 27001 (clause 6.1.3). You cannot be certified without one. It must cover all of the Annex A controls and give a justification for each inclusion or exclusion.
What is the difference between an SoA and a risk treatment plan?
The risk treatment plan says what you will do about each risk and by when; the Statement of Applicability records which controls you have selected, whether each applies, and its status. The risk treatment plan drives decisions; the SoA documents the resulting control set for the auditor.
How many controls are in the Statement of Applicability?
Under ISO 27001:2022 there are 93 Annex A controls, grouped into four themes (organisational, people, physical and technological). Your SoA addresses all 93, marking each as applicable or not with a justification.
How does Cybereen generate the SoA?
Cybereen maps your evidence and decisions to every Annex A control as you work, so the Statement of Applicability is generated from live data — inclusion or exclusion, justification, and implementation status — and exported in one click whenever your certifier asks for it.

Stop maintaining your SoA by hand.

See your Statement of Applicability generated from live evidence — in a 30-minute walkthrough.