ISO 27001 Statement of Applicability builder
Walk through all 93 Annex A:2022 controls and mark each one applicable, not applicable, or undecided. Track your progress, then have a draft SoA sent to your inbox.
The SoA is a mandatory ISO 27001 document (Clause 6.1.3). It lists each Annex A control with its applicability and a justification for inclusion or exclusion, and it traces back to your risk assessment. Set a decision for each control below — the summary updates as you go.
A.5.1 Policies for information security
A.5.2 Information security roles and responsibilities
A.5.3 Segregation of duties
A.5.4 Management responsibilities
A.5.5 Contact with authorities
A.5.6 Contact with special interest groups
A.5.7 Threat intelligence
A.5.8 Information security in project management
A.5.9 Inventory of information and other associated assets
A.5.10 Acceptable use of information and other associated assets
A.5.11 Return of assets
A.5.12 Classification of information
A.5.13 Labelling of information
A.5.14 Information transfer
A.5.15 Access control
A.5.16 Identity management
A.5.17 Authentication information
A.5.18 Access rights
A.5.19 Information security in supplier relationships
A.5.20 Addressing information security within supplier agreements
A.5.21 Managing information security in the ICT supply chain
A.5.22 Monitoring, review and change management of supplier services
A.5.23 Information security for use of cloud services
A.5.24 Information security incident management planning and preparation
A.5.25 Assessment and decision on information security events
A.5.26 Response to information security incidents
A.5.27 Learning from information security incidents
A.5.28 Collection of evidence
A.5.29 Information security during disruption
A.5.30 ICT readiness for business continuity
A.5.31 Legal, statutory, regulatory and contractual requirements
A.5.32 Intellectual property rights
A.5.33 Protection of records
A.5.34 Privacy and protection of PII
A.5.35 Independent review of information security
A.5.36 Compliance with policies, rules and standards for information security
A.5.37 Documented operating procedures
Your SoA summary
0 of 93 controls decided
0
Applicable
0
Not applicable
93
Undecided
SoA builder — common questions
What is a Statement of Applicability?
The Statement of Applicability (SoA) is a mandatory ISO 27001 document, required by Clause 6.1.3. It lists every Annex A control, states whether each one applies to your organisation, and records a justification for inclusion or exclusion. It traces back to your risk assessment and is one of the first artefacts the certification-body auditor reviews.
Do I have to justify exclusions?
Yes. The SoA needs a justification for both inclusion and exclusion. For every Annex A control you mark as not applicable, you record why it does not apply — for example, that you operate no physical premises or develop no software in-house. An exclusion without a documented, defensible reason is a common audit finding.
How many controls are there?
ISO/IEC 27001:2022 Annex A has 93 controls grouped into 4 themes: Organizational (37), People (8), Physical (14), and Technological (34). This replaced the 2013 structure of 114 controls across 14 domains.
Is this builder a finished SoA?
No. It is a starting point that captures your applicability decisions across all 93 controls. A complete SoA also records the justification and the implementation status for each control, traced back to your risk assessment. When you ask us to send your draft, we use these selections as the basis for a working document and a conversation about scope.
Turn this into a real SoA
A 30-minute call to map your applicability decisions to your risk assessment and build a SoA your auditor will accept.
Free Assessment
No obligation, no sales pitch
Custom Roadmap
Tailored to your organization
Expert Guidance
500+ successful audits