Your ISO 27001 Statement of Applicability (SoA) can fail an audit before the auditor even reviews your evidence. The SoA is the logical spine of your Information Security Management System (ISMS) — if it is incomplete, inconsistent, or poorly justified, the entire certification is at risk. Yet, year after year, our consultants see the same avoidable gaps: missing controls, circular justifications, and blanket 'excluded' annotations that collapse under scrutiny.
This is not a document you store and forget. The SoA is the bridge between your risk assessment and your control implementation. Get it wrong, and you face a major non-conformity. Get it right, and you pass with confidence. Here are the three steps to avoid a failed audit and the four costly gaps that will sink your certification.
What the ISO 27001:2022 SoA Actually Demands
Annex A of ISO 27001:2022 lists 93 controls across 4 themes — organisational, people, physical, and technological. The SoA must document which controls you have selected, justify the inclusion or exclusion of each one, and cross-reference the implementation evidence. The standard is explicit: without a justified SoA, your ISMS is not compliant.
The typical failure is not the volume of work — it is poor control justification. Auditors see 'Not Applicable' annotated against controls such as A.8.24 (use of cryptography) or A.8.16 (monitoring activities) simply because the organisation has not considered the risk. The standard requires a risk-based decision, not a convenience-based one.
For UK-based organisations, the SoA also supports compliance with UK GDPR and the NIS Regulations 2018. If you operate in a regulated sector — finance, critical infrastructure, or digital services — your SoA may be reviewed by the ICO or the FCA as part of their supervisory activity. This document has teeth beyond the audit room.
We have written about the ISO 27001 certification process in detail elsewhere, but the SoA deserves its own focus because it is the single most common source of non-conformity in Stage 2 audits.
Step 1: Build the SoA from Your Risk Assessment, Not an Excel Template
The most common mistake our team sees is downloading a generic SoA template and filling in the gaps. Do not do this. Your SoA must flow directly from your risk assessment methodology and your Statement of Applicability scope. Every control in Annex A must be evaluated against your specific risks, not against a generic checklist.
Begin by documenting your ISMS scope clearly — what business units, locations, systems, and data are covered. Then list all 93 controls from Annex A. For each, answer three questions:
- Is this control relevant to our scope and risk profile?
- If yes, where is it implemented and what is the evidence?
- If no, what is the specific risk or operational reason for exclusion?
Do not write 'Not Applicable' without a paragraph justifying the exclusion. For example, control A.8.24 (use of cryptography) might be excluded because the organisation does not store or process any data that requires encryption by contract or regulation. Alternatively, if you do handle personal data, excluding it without compensating controls is an immediate non-conformity. The auditor will ask 'What about UK GDPR Article 32?' — and you need an answer.
Use a structured format that your team can maintain. The SoA is a living document — update it when your risk assessment changes, when you add new systems, or when regulatory requirements shift. A static SoA is a risky SoA.
Step 2: Justify Every Control with Evidence, Not Assumptions
Your ISO 27001 Statement of Applicability 2022 must show that each control decision was deliberate and evidence-backed. This is where the SoA document requirements become critical. The auditor will check that:
- The justification specifically references the risk assessment finding (e.g., 'Risk ID-045: Data encryption not required for offline backup tapes').
- Excluded controls have a documented risk treatment decision — either the risk was accepted, transferred, or avoided.
- Included controls have a cross-reference to the policy, procedure, or technical implementation (e.g., 'A.8.24 implemented via BitLocker encryption on all laptops; see IT Security Policy Section 4.2').
A common gap we catch during pre-audit reviews is circular justification. Example: 'A.8.24 is implemented because our IT team encrypts laptops.' This is not a justification — it is a statement about implementation. A proper justification would say: 'Risk assessment identified that laptops leave the office premises (Risk ID-042). The risk of data exposure is mitigated by full-disk encryption (BitLocker). This control is selected as appropriate and proportionate.'
This level of detail may feel burdensome, but it eliminates ambiguity. When your auditor presses you on why a control is included or excluded, your SoA gives you the exact answer — no waffle, no improvisation.
Step 3: Map Controls to the 2022 Changes Before the Audit
ISO 27001:2022 introduced 11 new controls that did not exist in the 2013 version. If you are transitioning from 2013 or implementing for the first time, these new controls are a common source of failure. The new controls include:
- A.5.7 — Threat intelligence
- A.5.23 — Information security for use of cloud services
- A.5.30 — ICT readiness for business continuity
- A.8.9 — Configuration management
- A.8.10 — Information deletion
Many organisations we audit override fail on A.5.23 (cloud services) because they assume 'We use Office 365 — Microsoft handles security.' That is not a valid exclusion. You must document how you assess, manage, and monitor the security of your cloud providers. If you are using AWS, Azure, or Google Cloud, your SoA should reference those shared responsibility models explicitly.
Our CloudAuditX tool can help you generate that evidence — but the SoA must still make the logical connection yourself. Do not outsource the thinking; outsource the data collection.
4 Costly Gaps That Will Tank Your Audit
Gap 1: The 'All Controls Selected' Trap
Some organisations select every Annex A control to avoid having to justify exclusions. This is not a shortcut — it is a failure of risk-based thinking. If you select a control you do not actually implement, the auditor will see the gap during the Stage 2 review. Selecting all 93 controls without evidence for each is a major non-conformity. Only select controls you have genuinely implemented and can prove.
Gap 2: Missing Cross-References to Implementation
Your SoA should be a map, not a list. Each included control must point directly to the document, policy, or configuration that demonstrates implementation. If the SoA says 'A.8.16: Monitoring activities — implemented via SIEM' but you cannot produce the SIEM configuration or the monitoring logs, the control is effectively absent. Include the document title, version, and section number for every reference.
Gap 3: Blanket Exclusions Without Risk Context
Excluding A.8.24 (cryptography) for a UK business that processes personal data is extremely difficult to justify. UK GDPR Article 32 requires appropriate technical measures, and encryption is the baseline. If you exclude cryptography, you need compensating controls — and you need to document how those controls achieve the same objective. Most auditors will push back hard on this.
Gap 4: No Version Control or Change Log
The standard requires that your SoA be a controlled document. If your SoA has no version number, no approval history, and no evidence of periodic review, the auditor will flag it as non-compliant. This is a low-effort fix that organisations routinely miss. Add a change log, assign an owner, and schedule a quarterly review cycle as part of your ISMS management review.
How Pyralink Innovation Ltd Helps You Get It Right
We are a UK cybersecurity firm led by Michael Adedeji (CISM, CISA, CC, MSc Data Science). Our team has implemented ISMSs for regulated firms, SaaS providers, and critical infrastructure operators. We do not hand you a template and walk away. We audit your SoA against the ISO 27001 Statement of Applicability 2022 requirements, flag the gaps, and work with your team to build the justifications that hold up under scrutiny.
Our services include fractional vCISO support starting from £497 per month, where your consultant reviews your SoA as part of a ongoing compliance programme management. For cloud-heavy environments, our CloudAuditX platform maps cloud configurations to relevant Annex A controls, saving your team hours of manual cross-referencing. And if you are uncertain where you stand, our free compliance scanner can identify gaps in your current controls before the auditor does.
We hold £5 million professional indemnity insurance and have delivered ISO 27001 support across multiple sectors. Our approach is practical, risk-based, and audit-ready from day one. You do not need to guess — we have done this before.
Your Next Move
The SoA is not the hardest part of ISO 27001, but it is the most exposed. A weak SoA collapses the entire audit. A strong SoA demonstrates that your organisation understands its risks, controls them proportionately, and can prove it.
Start by running a free CloudAuditX scan → to see how your cloud environment aligns with Annex A controls. Then book a free security review → with our team to review your SoA before your next audit. We will tell you what is solid and what will fail. No fluff. No guesswork. Just the truth a CISA-level consultant would give your board.