Clause 6.1
Actions to address risks and opportunities

Clause 6.1.3 gives the SoA four mandatory ingredients. It must list the necessary controls — the ones your risk treatment determined you need, whether they come from Annex A or anywhere else. It must justify why each included control is necessary. It must state whether each necessary control is actually implemented. And it must justify every exclusion: any of the 93 Annex A controls you deem not applicable needs a written reason.

Two consequences follow that trip people up. First, the SoA is not limited to Annex A — if your treatment determined a custom control (a sector-specific fraud check, say), it belongs in the SoA too. Second, "whether implemented" is a status declaration the auditor will test: marking a control implemented when it is half-deployed converts an honest gap into a credibility problem.

No format is mandated, but years of audits have converged on one row per control with these columns:

• •Control ID and title – all 93 Annex A entries in order, plus any custom controls appended at the end
• •Applicable (yes/no) – the inclusion decision itself
• •Justification – why the control is necessary, or why it is excluded
• •Source of necessity – the risk IDs, legal or contractual obligations, or business requirements driving the inclusion
• •Implementation status – implemented, partially implemented, or planned, ideally with a target date
• •Evidence pointer – where the proof lives: the policy, the system, the report, the ticket queue

The source and evidence columns are technically optional — and they are what separates an SoA the auditor trusts from one they dismantle. When every row points to its drivers and its proof, Stage 2 sampling becomes a guided tour instead of an excavation.

Every included control should answer the question "necessary because of what?" with at least one concrete driver. The strongest SoAs cite risk register IDs ("mitigates R-014, R-031"), named legal obligations ("CERT-In log retention direction", "client MSA clause 7.2"), or explicit business requirements. This is where your work under control A.5.31 — the register of legal, statutory, regulatory, and contractual requirements — pays off, because obligations are the second great source of necessary controls after risk.

The justification to avoid is "best practice." It is not false; it concedes that you cannot trace the control to your own risk assessment. An auditor who sees twenty "best practice" rows starts asking whether the risk assessment and the SoA were produced independently of each other — and that question rarely ends well.

An exclusion justification should be a falsifiable statement about your organization, not a shrug. Compare:

• •Weak – "A.7.4 Physical security monitoring: Not applicable."
• •Weak – "A.6.7 Remote working: We trust our employees."
• •Strong – "A.7.4 Physical security monitoring: the organization occupies no premises — fully remote, with all infrastructure in IaaS facilities addressed under A.5.23 and supplier controls. Physical monitoring risk assessed as inherently absent (RA-22). Revisit if office space is acquired."
• •Strong – "A.8.30 Outsourced development: all software is developed in-house by employees; no development is outsourced. Will be revisited if engineering subcontracting begins (see change trigger list)."

The strong versions share three properties: they state a checkable fact about the organization, they reference where the conclusion came from, and they name the condition that would reverse the decision. Auditors challenge exclusions against what they observe — excluding development controls while the org chart shows an engineering team is the classic self-inflicted major finding.

The SoA is versioned, approved, dated documented information — and it decays fast. Controls get implemented, suppliers change, laws arrive, architectures move. Review it at least annually, and additionally after security incidents, significant infrastructure or organizational change, new legal or contractual obligations, and each risk assessment cycle. Each revision needs a version number, an approver, and a change log; the version history itself is evidence the document is maintained rather than exhumed before audits.

The practical pattern: keep the SoA, risk register, and risk treatment plan linked in one system — a GRC platform, or a disciplined spreadsheet with cross-referenced IDs — so a change in any one forces the question of whether the other two still agree.

At Stage 1, the SoA is reviewed as a document: are all 93 Annex A controls accounted for, does every row carry a justification, is the version current and approved, and is it consistent with your scope statement and risk methodology? Inconsistencies here — an SoA still referencing the 2013 control set, exclusions that contradict the scope — can pause the audit before Stage 2 is even scheduled.

At Stage 2, the SoA becomes the audit plan. The auditor samples included controls and asks for the implementation evidence your status column promised, interviews the owners your evidence pointers imply, and tests exclusions against observed reality. This is why the SoA is the one document where optimism is expensive: every claim in it is a commitment the rest of the audit will collect on.