The Statement of Applicability (SoA) is a mandatory ISO 27001 document that lists all controls from Annex A and states whether each is applicable or not, together with a justification for the inclusion or exclusion. It also references the implementation status and links each applicable control to the relevant risk treatment decisions, creating a comprehensive map between identified risks and the measures in place to address them.
The SoA is one of the most scrutinised documents during ISO 27001 certification audits, as it demonstrates that the organisation has systematically considered all relevant controls and made informed decisions. Keeping the SoA current requires updating it whenever the scope changes, new risks emerge or controls are modified, ensuring it remains an accurate reflection of the organisation's control environment.