Skip to main content
The Statement of Applicability (SoA) is a mandatory ISO 27001 document. It lists every Annex A control, declares whether each control is applicable to your organization, and records its implementation status. Certification auditors use the SoA to verify that your control selection is complete and justified. ISOwl generates the SoA as a downloadable PDF directly from your Annex A control data.

What the SoA PDF contains

The exported document covers all 93 Annex A controls drawn from ISO/IEC 27002. For each control, the PDF records:
ColumnDescription
IDAnnex A reference (e.g., A.5.1, A.8.24)
DominioOrganizational, People, Physical, or Technological
Control de SeguridadControl name from ISO/IEC 27002:2022
EstadoCurrent evaluation state (Implementado, En Progreso, No Evaluado, No Aplica)
ResponsableIndividual or team accountable for the control
The exported PDF uses a landscape orientation and includes a total control count footer and page numbers. The filename follows the pattern SoA_ISO27001_<timestamp>.pdf.
Controls marked as Not Applicable are still included in the SoA. ISO 27001 requires that exclusions be documented and justified, not omitted.

When to use the SoA export

Certification audit

Provide the SoA to your certification body before a stage 2 audit. Auditors will cross-reference it against your implemented controls and evidence.

Surveillance audit

Demonstrate that your control set remains current and that any changes since the last audit are reflected in the SoA.

Client reporting

Share a client’s SoA with their own leadership or board to show the current state of their Annex A program.

Internal review

Use the SoA as a working document during internal audits to identify gaps, assign responsibility, and track review cadence.

How to export the SoA

1

Select the correct workspace

Confirm that the active workspace shown in the top navigation bar is the organization whose SoA you want to export. Switch workspaces from the Clients admin page if needed.
2

Navigate to Annex A

Click Annex A in the main navigation sidebar to open the controls library.
3

Click Exportar SoA (PDF)

Locate the Exportar SoA (PDF) button at the top of the Annex A page and click it. ISOwl reads the current state of all 93 controls and generates the PDF.
4

Download the file

The PDF downloads automatically. File it with your ISMS document registry using your organization’s version control process.
The SoA export captures the state of your controls at the moment of export. If controls are updated after the export, the document on file will be out of date. Re-export after any significant change to your control set.

Keeping the SoA current

ISO 27001 requires that the SoA be maintained as a living document. Best practices:
  • Re-export the SoA after adding new controls, changing applicability decisions, or updating responsible owners.
  • Include the export date in your document registry entry so reviewers know which version is current.
  • Store previous versions for audit traceability — auditors may ask to see how the SoA evolved between audit cycles.
Set a recurring reminder to review and re-export the SoA at least once per year, or whenever a significant change to your ISMS scope occurs.

Roles that can export the SoA

All roles can export the SoA PDF. There is no role restriction on the export button.
RoleCan export
CISOYes
OwnerYes
AuditorYes
See Roles and permissions for details on access control.

Build docs developers (and LLMs) love

Get started for freeTalk to us