Statement of Applicability

A Statement of Applicability (SoA) is a document that is required for certification to ISO 27001. The SoA must contain the following information:

• A list of information security controls selected to mitigate risk.
• Justifications for the inclusion of the selected controls.
• Confirmation of whether the controls are fully implemented.
• Justifications for excluding any of the ISO 27001 Annex A controls.

CyberComply can automatically generate the SoA from data that you have entered.

Creating an SoA with CyberComply

You can automatically generate an SoA for your organisation as follows:

1. Click the Menu **button, then under **Controls **section, click **ISO/IEC 27002:2022.
2. Click **Expand **controls in the left-hand bar.
3. You can see the list of controls for ISO 27001. These are the controls that need to be considered for ISO 27001 certification.
4. Each of these controls has a status. The default is Not Considered, but they can also be Excluded/not applicable, Selected – Planned or Selected – Implemented.
5. For each control, click the current status (e.g. Not Considered) to make the buttons appear for the other statuses. Select the relevant status.
6. For Excluded/not applicable, you will be invited to record a reason for exclusion. For both Selected – Planned and Selected – Implemented, you will be invited to record a reason for selection. If you choose Selected – Planned, you will be invited to create a task to begin the planning process.
7. Click Save.
8. Repeat steps 5 to 7 for all the displayed controls.
9. When you have recorded your exclusion or selection of all the controls, click Reports **at the top of the screen and select **Statement of Applicability.
10. CyberComply will generate your SoA. You can **Publish **the report or **Print **it using the relevant icons.
11. If you want to save the report, print it as a .pdf file and save that.

Updated on: 17/06/2024