Statement of Applicability (ISO 27001)

The Statement of Applicability (SoA) page keeps one row per ISO 27001 requirement: whether it applies to your ISMS, the justification for including or excluding it, its implementation status, and references to the controls that implement it. ISO 27001 clause 6.1.3(d) requires this document, including visible justifications for exclusions. Use it when you build or maintain an ISO 27001 program, and export it as a PDF for your auditor. It lives at /soa (side nav: SoA (ISO 27001)).

Before you start

Seed the SoA from the library

  1. Open SoA (ISO 27001) in the side nav.
  2. On first visit you see "No SoA entries yet". Click Seed from library (or Seed / refresh from library in the header).
  3. Wait for the toast "SoA synced with the library (N requirements)".

Seeding creates one entry per ISO 27001 requirement, grouped by clause. Each new entry is prefilled:

Re-running Seed / refresh from library only adds rows for requirements that are missing. It never overwrites decisions you already made. Run it again after the library gains new requirements.

Set applicability

Each row has a toggle on the right labeled Applicable / Excluded.

  1. Flip the toggle to Excluded for a requirement that does not apply.
  2. A toast reminds you that an exclusion needs a justification (ISO 27001 6.1.3 requires it).
  3. Click the pencil icon on the row and fill Justification for exclusion (required), then click Save.

Excluded rows stay visible: the title is struck through and the row shows either the exclusion justification or a red warning tag while the justification is still missing. Flip the toggle back to Applicable to include the requirement again.

Set implementation status

For applicable rows, pick a status in the dropdown on the row:

The change saves immediately. The header chips update: Applicable, Excluded, Implemented, Partial, Not implemented. Implementation counts only cover applicable entries; excluded rows are never counted as not implemented.

Edit justification, control references, and notes

  1. Click the pencil icon on a row.
  2. Fill:
    • Justification for inclusion (or Justification for exclusion (required) when the row is excluded). For inclusions, say why the control is needed: risk treatment, legal, or contractual reasons.
    • Control references, for example CTRL-007, Access Control Policy §4. Prefilled from linked controls at seed time; edit freely.
    • Notes (optional).
  3. Click Save.

Export the PDF

  1. Click Export PDF in the header. The button is disabled until entries exist.
  2. A file named statement-of-applicability-<date>.pdf downloads.

The PDF is branded and contains your organization name, the standard code, the generation date, summary counts, and one table row per requirement (CODE, CONTROL / REQUIREMENT, APP., JUSTIFICATION, STATUS, CONTROL REFS), grouped by clause. Excluded rows keep their justification visible; a missing one prints as "No justification recorded", which your auditor will notice, so fix those before exporting.

Try it

If something goes wrong

← Back to CompStack