ISO 27001:2022 Statement of Applicability (SoA) – Excel XLSX

Stop writing your SoA from scratch. This Statement of Applicability (SoA) covers all 93 Annex A controls of ISO/IEC 27001:2022 – with pre‑written justifications for both applicable and non‑applicable controls.

Created by an ISO 27001 Certified Lead Auditor with 15+ years of experience in critical infrastructure security, this editable Excel template gives you a head start on one of the most important documents for certification.

What you get (macro‑free, clean Excel file, tested on Excel 2010+):

Full control coverage – Every Annex A control from A.5.1 to A.8.34, organised into four themes: Organisational (37 controls), People (8), Physical (14), and Technological (34).

Dual‑row applicability – For controls that may not apply to every organisation (e.g., physical security, cloud services, outsourced development), the SoA provides both a "Yes" row and a "No" row. Keep the one that fits your organisation and delete the other. No more manual reformatting.

Pre‑written justifications – Each control includes a ready‑to‑use justification. For "Yes" rows, the justification explains why the control applies. For "No" rows, a sample exclusion reason is provided (e.g., "organisation has no physical premises"). You can edit these to match your exact context.

Evidence items & responsible owners – For every control, the tool lists example evidence items (e.g., "Information Security Policy signed by CEO") and suggested responsible roles (e.g., CISO, IT Security Manager, HR Manager).

Implementation status & review frequency – Columns for marking whether the control is implemented (Yes/No) and how often evidence is reviewed (e.g., daily, quarterly, annually).

Document control & revision history – A dedicated Document Control sheet tracks version, author, approval status, and distribution. The Read Me sheet provides step‑by‑step instructions.

Why this SoA is different:
Most SoA templates are simple checklists. This one is built by a Certified Lead Auditor who has reviewed dozens of real SoAs during certification audits. The justifications are practical, not theoretical. The dual‑row design saves hours of reformatting.

Who is this for?
•  Small and medium enterprises finalising their ISO 27001 documentation
•  Consultants who need a professional SoA for multiple clients
•  Security practitioners preparing for Stage 2 audits

What this tool does not include – This listing is for the Statement of Applicability only. It does not include the Self‑Assessment Tool, ISMS Manual, or full policy/procedure suite.

Immediate download – You receive an editable Excel file. No macros, no scripts. Own it forever – no subscription fees.

Take the guesswork out of your ISO 27001 compliance. Buy with confidence – backed by 15+ years of real‑world security leadership.