TL;DR

Automation note: If you want to operationalize this faster, see Offboarder for workflow-based implementation.

Your Statement of Applicability (SoA) should connect risks, Annex A controls, owners, and evidence. A living SoA speeds audits and strengthens your ISMS.

Why the SoA Matters in 2022

The SoA is the core of your ISMS. It shows:

Which Annex A controls you use Why they are included or excluded Who owns them and how they are tested

A clear SoA gives auditors confidence and reduces time spent in reviews.

What Good Looks Like

A strong SoA has two layers:

Summary page: Quick view for leaders Detailed register: Full control details

Each control should list:

Rationale linked to risk Control owner How it works day-to-day Evidence source and update dates

Data and Tools

Your SoA should point to real data. Start with what you already have:

Risk register Ticketing and change logs Identity provider (IDP) records Cloud and system configuration data Backup and disaster recovery reports

Keep evidence labeled with control IDs and dates.

Roles and Workflows

Clarity comes from ownership:

Control owner: Keeps evidence current ISMS lead: Approves changes SMEs: Check accuracy Compliance team: Tracks reviews

Workflow: Request → SME check → ISMS lead approval → Version update.

Common Pitfalls (and Fixes)

Vague rationales: Use risk-based language, not “best practice.” Stale entries: Review monthly, update quarterly. Missing traceability: Always tag artifacts with control IDs. Too much automation: Keep human review for critical controls.

14-Day SoA Refresh Plan

Days 1–3: Export current SoA, shortlist 20 controls Days 4–7: Update rationales, owners, evidence Days 8–10: Test review workflow on 5 controls Days 11–12: Build summary and sample packet Days 13–14: Approvals, publish, schedule reviews

Mini Checklist

Every control has a rationale and owner Evidence mapped with clear source and cadence IDs used across risks, assets, and controls Review dates under 90 days One-page summary for leadership Test an auditor packet on 5 controls

FAQs

Q1: Do we need rationales for exclusions?

Yes. Document why a control is not applied and who approved it.

Q2: How often should the SoA be updated?

Monthly quick updates and quarterly deep reviews.

Q3: Can the SoA be automated?

Evidence collection can be, but rationale and approvals need people.

Call to Action

AIComply360 helps companies refresh their SoA in two weeks. We link controls to risks, assign clear owners, and wire in real evidence. Your next audit will be smoother, faster, and more predictable. Contact us today to see how we can tailor this for your business.

Next step: For a productized approach, review Offboarder and map requirements to repeatable workflows.