Statement of Applicability (ISO 27001)
The Statement of Applicability (SoA) page keeps one row per ISO 27001 requirement: whether it applies to your ISMS, the justification for including or excluding it, its implementation status, and references to the controls that implement it. ISO 27001 clause 6.1.3(d) requires this document, including visible justifications for exclusions. Use it when you build or maintain an ISO 27001 program, and export it as a PDF for your auditor. It lives at /soa (side nav: SoA (ISO 27001)).
Before you start
- The SoA (ISO 27001) module is off by default. An admin must turn it on in Settings > Modules (Governance, risk and compliance group).
- The ISO/IEC 27001 content module must be installed from the Module Store so the standard exists in your library. Without it the page shows "ISO 27001 module not installed".
- Optional, but it makes seeding smarter:
- Scoping decisions in Library, scoping, gap. Requirements you scoped out as not applicable are seeded as excluded, with the scoping justification carried across.
- Controls linked to requirements in Controls and evidence. Their codes are prefilled into each row's control references.
Seed the SoA from the library
- Open SoA (ISO 27001) in the side nav.
- On first visit you see "No SoA entries yet". Click Seed from library (or Seed / refresh from library in the header).
- Wait for the toast "SoA synced with the library (N requirements)".
Seeding creates one entry per ISO 27001 requirement, grouped by clause. Each new entry is prefilled:
- Applicable is set to Excluded when your scoping marked the requirement not applicable, and the scoping justification text is copied in.
- Control references are filled with the codes or names of your controls already linked to the requirement.
Re-running Seed / refresh from library only adds rows for requirements that are missing. It never overwrites decisions you already made. Run it again after the library gains new requirements.
Set applicability
Each row has a toggle on the right labeled Applicable / Excluded.
- Flip the toggle to Excluded for a requirement that does not apply.
- A toast reminds you that an exclusion needs a justification (ISO 27001 6.1.3 requires it).
- Click the pencil icon on the row and fill Justification for exclusion (required), then click Save.
Excluded rows stay visible: the title is struck through and the row shows either the exclusion justification or a red warning tag while the justification is still missing. Flip the toggle back to Applicable to include the requirement again.
Set implementation status
For applicable rows, pick a status in the dropdown on the row:
Not implementedPartially implementedImplementedNot applicable
The change saves immediately. The header chips update: Applicable, Excluded, Implemented, Partial, Not implemented. Implementation counts only cover applicable entries; excluded rows are never counted as not implemented.
Edit justification, control references, and notes
- Click the pencil icon on a row.
- Fill:
- Justification for inclusion (or Justification for exclusion (required) when the row is excluded). For inclusions, say why the control is needed: risk treatment, legal, or contractual reasons.
- Control references, for example
CTRL-007, Access Control Policy §4. Prefilled from linked controls at seed time; edit freely. - Notes (optional).
- Click Save.
Export the PDF
- Click Export PDF in the header. The button is disabled until entries exist.
- A file named
statement-of-applicability-<date>.pdfdownloads.
The PDF is branded and contains your organization name, the standard code, the generation date, summary counts, and one table row per requirement (CODE, CONTROL / REQUIREMENT, APP., JUSTIFICATION, STATUS, CONTROL REFS), grouped by clause. Excluded rows keep their justification visible; a missing one prints as "No justification recorded", which your auditor will notice, so fix those before exporting.
Try it
- Turn on the SoA module in Settings > Modules. Expected: SoA (ISO 27001) appears in the side nav.
- Open the page with the ISO 27001 content module installed and click Seed from library. Expected: a toast "SoA synced with the library (N requirements)" and rows grouped by clause.
- Check the header chips. Expected: Applicable, Excluded, Implemented, Partial, and Not implemented counts that add up to your entries.
- Flip one row's toggle to Excluded. Expected: a toast telling you to add a justification, and the row title struck through with a red warning tag.
- Edit that row and save a justification for exclusion. Expected: the red tag is replaced by "Excluded:
" on the row. - On an applicable row, set the status to
Implemented. Expected: the Implemented chip count goes up by one. - Edit a row and add
CTRL-001to Control references. Expected: the row shows "Controls: CTRL-001". - Click Seed / refresh from library again. Expected: your edits are unchanged; the toast reports the same requirement count.
- Click Export PDF. Expected: a
statement-of-applicability-<date>.pdfdownload with your entries, including the excluded rows and their justifications.
If something goes wrong
- SoA (ISO 27001) is missing from the side nav. The module is off. Enable it in Settings > Modules. Typing
/soawhile it is off redirects to the dashboard. - "ISO 27001 module not installed". The standards library has no standard whose code contains 27001. Install the ISO/IEC 27001 module from the Module Store, then reload.
- Seeding says "ISO 27001 module not found in the standards library". Same cause as above; the seed found no matching standard.
- A row shows a red "justification required" tag. The row is excluded without a justification. Edit the row and fill Justification for exclusion (required).
- Export PDF is grayed out. There are no entries yet; seed first.
- Prefill did not pick up my scoping or controls. Prefill only applies to rows created by that seed run. Rows that already existed keep their stored values. Scoping decisions must be recorded in Library, scoping, gap and controls must be linked to requirements in Controls and evidence before you seed.