ISO 27001 Statement of Applicability Template: Free SoA Excel Download
Related guides:
- iso 27001 controls
- iso 27001 compliance made easy with this comprehensive checklist
- nist 80053 vs iso 27001 choosing the right framework for your security needs
Key takeaways
- The Statement of Applicability (SoA) is a mandatory ISO 27001 document listing all Annex A controls and your implementation status.
- This template covers all 93 ISO 27001:2022 Annex A controls across Organisational, People, Physical, and Technological themes.
- Each row includes applicability, justification, evidence link, owner, and status.
- SecureSlate helps map Annex A controls to evidence and track implementation progress.
Overview
ISO 27001 certification requires you to declare which Annex A controls apply, why excluded controls are out of scope, and how implemented controls are evidenced. The SoA is the document auditors review line by line.
What makes it useful
- Complete control list: All 93 controls pre-loaded with ISO 27001:2022 references.
- Theme summary: Dashboard counts per theme (Organisational, People, Physical, Technological).
- Justification column: Required explanation when a control is Not Applicable.
- Implementation tracking: Status values for Implemented, In Progress, and Not Started.
Download the template
Complete document control and obtain management approval before certification audit.
Tab-by-tab walkthrough
Overview and Version & Approval
Organization name, ISMS owner, version history, and sign-off. The SoA must be approved by management.
Summary
Auto-calculated counts: total controls per theme, applicable controls, implemented, in progress, and % complete. Use for steering committee updates.
Statement of Applicability
Main working tab. Columns include Control ID, Control Name, Theme, Applicable (Yes/No), Justification, Implementation Status, Evidence/Policy Link, Owner, and Notes. Work theme by theme with control owners from engineering, HR, facilities, and IT.
How to use it as audit evidence
| Certification requirement | Template field |
|---|---|
| List of applicable controls | Applicable column + Justification |
| Implementation status | Implementation Status column |
| Evidence of operation | Evidence/Policy Link column |
| Management approval | Version & Approval sign-off |
Keep the SoA version aligned with your risk treatment plan and internal audit schedule.
Common mistakes
- Marking controls Implemented without linked policies or technical evidence
- Weak justifications for Not Applicable controls
- SoA not updated after org or product changes
- Control owners listed but never consulted during fill-in
How SecureSlate helps
SecureSlate maps ISO 27001 controls to automated evidence, tracks gaps, and exports packages for stage 1 and stage 2 audits.
FAQ
Is the SoA required for ISO 27001?
Yes. It is a mandatory documented information requirement for certification.
How is the SoA different from a risk register?
The risk register identifies risks and treatments. The SoA declares which Annex A controls apply and how they are implemented.
When should we finalize the SoA?
Before stage 2 audit, but treat it as a living document updated whenever scope or controls change.
Disclaimer (legal note)
This article is for general information only and is not legal, regulatory, or professional advice. Requirements vary by framework, industry, and jurisdiction. Consult qualified advisors for your specific obligations.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
