📋

ISO 27001 Statement of Applicability Generator

Generate your ISO 27001:2022 Statement of Applicability (SoA) — all 93 Annex A controls with applicability decisions, justifications, and implementation status.

ISO 27001:202293 Annex A Controls4 ThemesISMS Mandatory Document

📌 What is the Statement of Applicability?

The SoA is a mandatory ISO 27001 document (clause 6.1.3(d)). It lists all 93 Annex A controls, states whether each is applicable or not applicable, provides justifications for excluded controls, and records implementation status. Your certification auditor will review it to verify your risk treatment plan covers all applicable controls.

Step 1 of 2

Organisation & ISMS Details

Company name *

Company website

Country *

Team size *

SoA version

Effective date *

Next review date

Certification body (if known)

SoA owner name *

SoA owner title

SoA owner email

ISMS scope statement * (Clause 4.3 — what systems, locations, processes are in scope)

Company profile (pre-populates physical control applicability)

Cloud-native SaaS — no physical office or self-hosted infrastructureSaaS company with a physical officeHybrid cloud + on-premises infrastructurePrimarily on-premises / data centre hostedFully remote company — no office premises

Risk treatment approach

Mitigate (implement controls to reduce risk to acceptable level)Transfer (insurance, contractual transfer to third party)Avoid (cease the activity that creates the risk)Accept (acknowledge residual risk within risk appetite)

Additional context