{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreico5n2hgzx43gvvfhj7ruuyp665fy3aqv4nwjnykpjstpful3pxum",
    "uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mp2hzwimuul2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreierdwumse4gva4fnjjgcz5ci6fdrmm5yfls5ksp2si6w2pu42eya4"
    },
    "mimeType": "image/webp",
    "size": 72318
  },
  "path": "/compliancedocs/the-iso-27001-statement-of-applicability-explained-for-engineers-2ble",
  "publishedAt": "2026-06-24T17:23:23.000Z",
  "site": "https://dev.to",
  "tags": [
    "security",
    "compliance",
    "startup",
    "saas",
    "ISO 27001 Complete Toolkit",
    "How to Write Your ISO 27001 Statement of Applicability"
  ],
  "textContent": "If your startup is going for ISO 27001, the document the auditor opens first is the **Statement of Applicability (SoA)**. Most engineering teams build it backwards and pay for it at the audit. Here's the mental model that actually holds up.\n\n##  What the SoA actually is\n\nThe SoA is one document that lists **every control in Annex A of ISO/IEC 27001:2022** and states, for each: does it apply to you, why, and what's its status. It's not optional — clause 6.1.3 d) names it by name as documented information you must produce. It's one of the very few documents the standard requires explicitly.\n\nIf your ISMS were a map, the SoA is the legend. It ties your assessed risks to the specific controls you've decided to operate.\n\nAnnex A:2022 has **93 controls in four themes** : Organizational (A.5, 37 controls), People (A.6, 8), Physical (A.7, 14), and Technological (A.8, 34). The SoA walks all 93 — including the ones you exclude. The completeness is the point: an auditor should see you considered the whole set and made a deliberate call on each, not cherry-picked.\n\n##  Build it in the right direction\n\nThe SoA is an **output** , not an input. The chain is:\n\n  1. Assess your risks (clause 6.1.2)\n  2. Decide how to treat each one — modify, avoid, share, retain (clause 6.1.3)\n  3. Determine the controls those treatment decisions require\n  4. **Then** check that set against Annex A as a _completeness check_\n\n\n\nA control is \"applicable\" because a risk you identified or an obligation you carry needs it — not because it's in the standard. A control is \"excluded\" when nothing you found depends on it and you can say why. Classic defensible exclusion: if you do no software development, you can reasonably exclude the secure-development controls (~A.8.25-A.8.30) — as long as that's genuinely and durably true.\n\nDo it backwards — pick controls off Annex A first, then reverse-engineer risks to fit — and an experienced auditor will usually notice.\n\n##  The columns that matter\n\nTreat the SoA like a schema. For each control, resolve: **control ID + title, theme, applicable (Y/N), justification, implementation status, evidence reference.**\n\n  * **Justification** must be specific: _\"required to mitigate the access-control risks in our risk register\"_ — not a restatement of the control title.\n  * **Status** stays honest. \"Planned,\" backed by a dated plan, is acceptable at a **Stage 1** audit (which mostly checks documentation and readiness).\n  * **Evidence** links each applicable control to proof — a log, an access review, a ticket, a signed acknowledgment. That's what turns the SoA from a list of intentions into a navigable index into your ISMS.\n\n\n\n##  Mistakes that cost you at audit\n\n  * **Excluding controls to cut work** instead of because they genuinely don't apply. Every exclusion needs to survive a follow-up question.\n  * **Leaving template placeholder justifications** (\"applies to company systems\"). That tells the auditor you filled a spreadsheet but didn't connect it to your environment.\n  * **An SoA that disagrees with the rest of the ISMS** — a control marked applicable with no policy behind it. Internal consistency is exactly what auditors sample.\n  * **Treating it as one-and-done.** It's living documented information — update it after each risk cycle and any significant change.\n  * **Using the old 2013 structure** (114 controls / 14 domains, A.5-A.18). Certification is against ISO/IEC 27001:2022, so your SoA must reflect the 93-control, four-theme Annex A.\n\n\n\nThe SoA is the index; the audit is the auditor checking the index points to something real.\n\n##  A head start\n\nTranscribing all 93 controls and laying out the columns before you can do any of the actual thinking adds nothing unique to your org — so it's worth not doing by hand. We publish a **93-control SoA workbook** (pre-populated with every Annex A:2022 control, its theme, and starter justification wording) alongside the matching risk register and the policies the evidence column points back to, in the ISO 27001 Complete Toolkit.\n\nBe clear about the boundary: a workbook gives you the structure, not the judgment — the applicability calls, the org-specific justifications, and the evidence have to be yours. And no template makes anyone \"ISO 27001 certified\"; certification comes only from an accredited body auditing a working management system.\n\nFull step-by-step walkthrough (the original of this post): How to Write Your ISO 27001 Statement of Applicability.",
  "title": "The ISO 27001 Statement of Applicability, explained for engineers"
}