ISO 27001 Statement of Applicability Builder: How Many Annex A Controls Apply?
Tell us about your environment to see how many of the 93 Annex A 2022 controls belong in your scope, and where you can defensibly exclude.
How This Statement of Applicability Builder Works
The builder takes four inputs: industry, hosting model (cloud-only, hybrid, on-prem), data sensitivity, and headcount. It maps your environment against the four Annex A 2022 themes (Organizational, People, Physical, Technological) totaling 93 controls. The output shows likely included and likely excluded controls per theme, with a defensible rationale you can lift directly into your draft Statement of Applicability. The math is calibrated to typical patterns: most cloud-first companies exclude 0 to 5 controls, almost always within Physical, with reference to AWS, GCP, or Azure shared responsibility.
What Goes Into a Statement of Applicability
The SoA is the central artefact of your ISMS and the document Stage 1 auditors spend the most time on. Per ISO/IEC 27001:2022 Clause 6.1.3 and 5.1.2, every Annex A control must appear in the SoA with four pieces of information.
- Inclusion or exclusion decision. Marked clearly per control.
- Justification for the decision. Tied to your scope, risk assessment, and operating environment.
- Implementation status. For included controls: planned, in progress, or implemented.
- Reference to evidence. Pointer to the policy, procedure, or system that operationalizes the control.
The SoA also lists controls implemented in addition to Annex A (often controls drawn from sector-specific frameworks or higher-baseline standards like NIST 800-53 for organizations selling into US public sector).
Industry-Specific Considerations
| Profile | Typical SoA pattern | Common exclusions |
|---|---|---|
| Cloud-native SaaS | 88 – 93 controls included | Some Physical controls (perimeter, equipment maintenance) with cloud shared-responsibility justification |
| Hybrid / co-location | 91 – 93 controls included | Limited; physical controls usually inherited from data center provider with documented split |
| Healthcare / regulated | 93 controls included | Almost no exclusions; HIPAA and sector regs reinforce broad scope |
| Fintech | 93 controls included | Almost no exclusions; PCI DSS and DORA pressure both push toward maximal scope |
The industry signal matters because auditors calibrate scrutiny to sector risk. A fintech excluding cryptography key management controls would face immediate Stage 1 challenge. A small B2B SaaS excluding the same controls because it has not yet rolled out customer-managed keys would face a much shorter conversation.
Common Mistakes That Cost You at Audit
Excluded controls are riskier than included controls. Every exclusion needs a written justification that holds up at Stage 1, and "the cloud provider does it" is not valid per ISO guidance. Auditors flag aggressive exclusions early because each one signals a scope decision that may unravel under scrutiny. Including a control you mostly inherit costs almost nothing extra; defending an exclusion you cannot justify costs your certification. The second mistake is treating the SoA as paperwork written at the end. The SoA should drive your risk treatment plan from the start, which means you need a working draft before implementation begins, not after. The third mistake is letting the SoA drift out of sync with your risk register and evidence files. Hicomply generates a draft SoA against all 93 controls on day one, with 75+ integrations populating evidence as you implement, so the three artefacts stay aligned without manual maintenance.
How to Use Your Result
The output is a starting point for your draft SoA, not a final document. Walk it back to your CISO or compliance lead. Validate the included list against your actual control inventory, and sanity-check every excluded control against your risk register. Each exclusion should map to a documented risk decision, not an assumption about what the cloud provider covers. Then turn the included list into a remediation backlog: any control marked included but not yet implemented becomes a Stage 1 finding. Most teams discover at this point that 5 to 15 controls need real implementation work even though they appeared trivial in the planning stage.
Building a Defensible Statement of Applicability
Three approaches exist. DIY using a spreadsheet works but tends to skip the justification step where it matters most, and the document loses fidelity over time. A consultant produces strong documentation but runs your SoA on their template, which means the artefact does not survive their departure. A platform-led approach gives you a live SoA tied to evidence and risk treatment, so changes propagate automatically and surveillance years are incremental rather than rebuilds. The six-step certification path shows where the SoA fits in the wider program, and the readiness assessment highlights which controls likely need the most evidence work.
Hicomply plans start from £6,995 per year with unlimited users. The platform covers SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, CCPA/CPRA, NIST CSF, SOX IT controls, Cyber Essentials, and TX-RAMP, so a single SoA effort feeds multiple frameworks. Book a demo to walk through automated SoA generation against your specific scope.
Frequently Asked Questions
What is the Statement of Applicability in ISO 27001?
The Statement of Applicability is a mandatory document that lists every Annex A control, marks each as included or excluded, and gives a justification for each decision. It is the central artefact your Stage 1 auditor reviews. The 2022 version of Annex A contains 93 controls grouped into four themes: Organizational, People, Physical, and Technological.
Can I exclude controls from my Statement of Applicability?
Yes, but every exclusion needs a defensible written justification tied to your scope, risk assessment, and operating environment. Cloud-native companies sometimes exclude 0 to 5 Physical controls with reference to AWS, GCP, or Azure shared responsibility. Excluding a control purely on the basis that the provider handles it is not valid per ISO guidance.
How many Annex A controls apply to a typical SaaS?
A typical cloud-first SaaS includes 88 to 93 of the 93 Annex A 2022 controls. Most exclusions sit in the Physical theme. Organizational, People, and Technological themes almost always apply in full because BYOD laptops, awareness training, access management, cryptography, and centralized logging are unavoidable in any modern SaaS environment regardless of hosting model.
When should I write the Statement of Applicability?
Start the SoA at the beginning of your ISMS work, not at the end. The SoA drives your risk treatment plan and tells you which Annex A controls need evidence. Writing it last leads to mismatches between what you implemented and what you declared, which auditors flag as inconsistencies during Stage 1 documentation review.
Does Hicomply automate the Statement of Applicability?
Hicomply generates a draft SoA mapped to all 93 Annex A 2022 controls and links each control to evidence drawn from 75+ integrations across cloud, identity, HR, and security tooling. Plans start from £6,995 per year with unlimited users. The SoA stays live as your environment changes, so audits and surveillance years require less rebuild.
Unlock Your Path to SOC 2 Success
Download our Ultimate SOC 2 Compliance Checklist for clear, step-by-step guidance to fast-track your certification.
Explore more free tools
Keep planning your SOC 2 journey with our other interactive tools.