Statement of Applicability Template

Mandatory ISMS document per ISO/IEC 27001:2022 Clause 6.1.3(d) — exhaustive table of all 93 Annex A controls with applicability, justification, implementation status, and exclusion rationale.

What This Policy Covers

Introduction-Document purpose, ISMS scope reference, version control, approval, and the risk assessment / risk treatment plan this SoA derives from (per Clause 6.1.3(d)).

Methodology for Applicability Determination-How applicability was decided — risk treatment outputs, legal/contractual obligations, and business context.

A.5 Organizational Controls-Markdown table with all 37 A.5 controls — Control ID, Title, Applicable (Y/N), Justification, Implementation Status, Reference.

A.6 People Controls-Markdown table with all 8 A.6 controls — same columns.

A.7 Physical Controls-Markdown table with all 14 A.7 controls — same columns.

A.8 Technological Controls-Markdown table with all 34 A.8 controls — same columns.

Excluded Controls — Justification Summary-Narrative summary of every control marked Not Applicable, with the risk-treatment justification for exclusion.

Approval and Revision History-Signatory, date of approval, and change log.

Required Sections

A compliant Statement of Applicability for ISO 27001 must include the following8 sections. Each section addresses a specific control requirement that auditors will review.

Introduction

Document purpose, ISMS scope reference, version control, approval, and the risk assessment / risk treatment plan this SoA derives from (per Clause 6.1.3(d)).

Methodology for Applicability Determination

How applicability was decided — risk treatment outputs, legal/contractual obligations, and business context.

A.5 Organizational Controls

Markdown table with all 37 A.5 controls — Control ID, Title, Applicable (Y/N), Justification, Implementation Status, Reference.

A.6 People Controls

Markdown table with all 8 A.6 controls — same columns.

A.7 Physical Controls

Markdown table with all 14 A.7 controls — same columns.

A.8 Technological Controls

Markdown table with all 34 A.8 controls — same columns.

Excluded Controls — Justification Summary

Narrative summary of every control marked Not Applicable, with the risk-treatment justification for exclusion.

Approval and Revision History

Signatory, date of approval, and change log.

Generate a Customized Version

This template shows the required structure. PoliWriter generates a fully customized Statement of Applicability that references your actual cloud providers, identity systems, tools, and team practices — ready for auditor review.

Generate Customized Statement of Applicability

Policy Details

Framework

ISO 27001

Other ISO 27001 Templates

ISMS Policy

Top-level information security management system policy.

Risk Management Policy

Risk management methodology aligned with ISO 27005.

Access Control Policy

Defines access control requirements aligned with ISO 27001 Annex A controls A.5.15 and A.8.2.

Asset Management Policy

Information asset inventory and classification aligned with ISO 27001 controls A.5.9 and A.5.10.

Incident Management Policy

Information security incident management aligned with ISO 27001 controls A.5.24 and A.5.25.

Business Continuity Policy

Information security aspects of business continuity aligned with ISO 27001 controls A.5.29 and A.5.30.

Supplier Security Policy

Managing information security risks in supplier relationships per ISO 27001 controls A.5.19 and A.5.20.

Cryptography Policy

Cryptographic controls and key management aligned with ISO 27001 control A.8.24.

View all 11 templates

Back to all templates