The Statement of Applicability, generated for you.
The SoA is the document your ISO 27001 certifier opens first — all 93 Annex A controls, what applies, why, and where each one stands. Cybereen builds it from your live evidence and exports it in one click.
What is a Statement of Applicability?
A Statement of Applicability (SoA) is the ISO 27001 document that lists every Annex A control, states whether it applies to your organisation, justifies each inclusion or exclusion, and records implementation status. It is the bridge between your risk assessment and your controls — and a required output of certification (clause 6.1.3).
Most teams maintain it by hand in a spreadsheet and dread keeping it current. Cybereen generates it from live data instead, so the SoA is always export-ready for your certifier. See ISO 27001 on Cybereen →
What goes in your SoA
Cybereen keeps each field current as you work — no spreadsheet reconciliation.All 93 Annex A controls
Every ISO 27001:2022 control across the four themes — organisational, people, physical and technological.
Applicable, with justification
Mark each control included or excluded and capture the justification your auditor will ask for.
Implementation status
Where each control stands — backed by the evidence attached to it, not a stale note in a cell.
One-click export
Generate the SoA from live data and hand your certifier a current document, not last quarter's snapshot.
See reporting →Statement of Applicability, answered.
What is a Statement of Applicability?
Is the Statement of Applicability mandatory for ISO 27001?
What is the difference between an SoA and a risk treatment plan?
How many controls are in the Statement of Applicability?
How does Cybereen generate the SoA?
Stop maintaining your SoA by hand.
See your Statement of Applicability generated from live evidence — in a 30-minute walkthrough.