Statement of Applicability
The Statement of Applicability (SoA) is a mandatory document for ISO 27001 certification. It lists all 93 Annex A controls and records, for each one, whether it applies to your organisation — and if so, how it’s implemented. Governy presents this as a spreadsheet-style view so you can make decisions, add justifications and track progress in one place.
How the controls are organised
The 93 controls are grouped into four themes:
| Theme | Controls |
|---|---|
| Organisational | 5.1 – 5.37 |
| People | 6.1 – 6.8 |
| Physical | 7.1 – 7.14 |
| Technological | 8.1 – 8.34 |
The 11 controls introduced in the 2022 revision are automatically marked with a “New 2022” badge.
The SoA table
Each row is one Annex A control, showing its reference, name, applicability decision, justification, implementation result (when applicable) and any badge.
Making applicability decisions
For every control you decide:
- Applicable — the control is relevant; record how it’s implemented.
- Not applicable — the control is out of scope; a justification is required.
- Undecided — the starting point. The SoA can’t be exported until every control has a decision.
Toggle a control’s decision directly on its row, and add a justification when excluding one. You can also select several controls at once and apply the same decision in bulk. Changes are saved immediately.
Export readiness
The SoA is complete once every control has a decision. A progress indicator shows how many are still undecided, and export is available once you reach full coverage.
Who can do what
| Action | Admin | Domain Manager | Analyst | Approver | Auditee | Reader |
|---|---|---|---|---|---|---|
| View the SoA | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Set applicability | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Add justification | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
| Record implementation | ✓ | ✓ | ✓ | ✗ | ✗ | ✗ |
The Statement of Applicability appears only for ISO 27001 audits; other frameworks don’t show this section.