<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: ComplianceDocs</title>
    <description>The latest articles on DEV Community by ComplianceDocs (@compliancedocs).</description>
    <link>https://dev.to/compliancedocs</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4000997%2F65f0b277-f644-4ab8-b6ba-2607f37692e6.png</url>
      <title>DEV Community: ComplianceDocs</title>
      <link>https://dev.to/compliancedocs</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/compliancedocs"/>
    <language>en</language>
    <item>
      <title>The ISO 27001 Statement of Applicability, explained for engineers</title>
      <dc:creator>ComplianceDocs</dc:creator>
      <pubDate>Wed, 24 Jun 2026 17:23:23 +0000</pubDate>
      <link>https://dev.to/compliancedocs/the-iso-27001-statement-of-applicability-explained-for-engineers-2ble</link>
      <guid>https://dev.to/compliancedocs/the-iso-27001-statement-of-applicability-explained-for-engineers-2ble</guid>
      <description>&lt;p&gt;If your startup is going for ISO 27001, the document the auditor opens first is the &lt;strong&gt;Statement of Applicability (SoA)&lt;/strong&gt;. Most engineering teams build it backwards and pay for it at the audit. Here's the mental model that actually holds up.&lt;/p&gt;

&lt;h2&gt;
  
  
  What the SoA actually is
&lt;/h2&gt;

&lt;p&gt;The SoA is one document that lists &lt;strong&gt;every control in Annex A of ISO/IEC 27001:2022&lt;/strong&gt; and states, for each: does it apply to you, why, and what's its status. It's not optional — clause 6.1.3 d) names it by name as documented information you must produce. It's one of the very few documents the standard requires explicitly.&lt;/p&gt;

&lt;p&gt;If your ISMS were a map, the SoA is the legend. It ties your assessed risks to the specific controls you've decided to operate.&lt;/p&gt;

&lt;p&gt;Annex A:2022 has &lt;strong&gt;93 controls in four themes&lt;/strong&gt;: Organizational (A.5, 37 controls), People (A.6, 8), Physical (A.7, 14), and Technological (A.8, 34). The SoA walks all 93 — including the ones you exclude. The completeness is the point: an auditor should see you considered the whole set and made a deliberate call on each, not cherry-picked.&lt;/p&gt;

&lt;h2&gt;
  
  
  Build it in the right direction
&lt;/h2&gt;

&lt;p&gt;The SoA is an &lt;strong&gt;output&lt;/strong&gt;, not an input. The chain is:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Assess your risks (clause 6.1.2)&lt;/li&gt;
&lt;li&gt;Decide how to treat each one — modify, avoid, share, retain (clause 6.1.3)&lt;/li&gt;
&lt;li&gt;Determine the controls those treatment decisions require&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Then&lt;/strong&gt; check that set against Annex A as a &lt;em&gt;completeness check&lt;/em&gt;
&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;A control is "applicable" because a risk you identified or an obligation you carry needs it — not because it's in the standard. A control is "excluded" when nothing you found depends on it and you can say why. Classic defensible exclusion: if you do no software development, you can reasonably exclude the secure-development controls (~A.8.25-A.8.30) — as long as that's genuinely and durably true.&lt;/p&gt;

&lt;p&gt;Do it backwards — pick controls off Annex A first, then reverse-engineer risks to fit — and an experienced auditor will usually notice.&lt;/p&gt;

&lt;h2&gt;
  
  
  The columns that matter
&lt;/h2&gt;

&lt;p&gt;Treat the SoA like a schema. For each control, resolve: &lt;strong&gt;control ID + title, theme, applicable (Y/N), justification, implementation status, evidence reference.&lt;/strong&gt;&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Justification&lt;/strong&gt; must be specific: &lt;em&gt;"required to mitigate the access-control risks in our risk register"&lt;/em&gt; — not a restatement of the control title.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Status&lt;/strong&gt; stays honest. "Planned," backed by a dated plan, is acceptable at a &lt;strong&gt;Stage 1&lt;/strong&gt; audit (which mostly checks documentation and readiness).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Evidence&lt;/strong&gt; links each applicable control to proof — a log, an access review, a ticket, a signed acknowledgment. That's what turns the SoA from a list of intentions into a navigable index into your ISMS.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Mistakes that cost you at audit
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Excluding controls to cut work&lt;/strong&gt; instead of because they genuinely don't apply. Every exclusion needs to survive a follow-up question.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Leaving template placeholder justifications&lt;/strong&gt; ("applies to company systems"). That tells the auditor you filled a spreadsheet but didn't connect it to your environment.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;An SoA that disagrees with the rest of the ISMS&lt;/strong&gt; — a control marked applicable with no policy behind it. Internal consistency is exactly what auditors sample.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Treating it as one-and-done.&lt;/strong&gt; It's living documented information — update it after each risk cycle and any significant change.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Using the old 2013 structure&lt;/strong&gt; (114 controls / 14 domains, A.5-A.18). Certification is against ISO/IEC 27001:2022, so your SoA must reflect the 93-control, four-theme Annex A.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The SoA is the index; the audit is the auditor checking the index points to something real.&lt;/p&gt;

&lt;h2&gt;
  
  
  A head start
&lt;/h2&gt;

&lt;p&gt;Transcribing all 93 controls and laying out the columns before you can do any of the actual thinking adds nothing unique to your org — so it's worth not doing by hand. We publish a &lt;strong&gt;93-control SoA workbook&lt;/strong&gt; (pre-populated with every Annex A:2022 control, its theme, and starter justification wording) alongside the matching risk register and the policies the evidence column points back to, in the &lt;a href="https://compliancedocshq.com/toolkits/iso27001-full" rel="noopener noreferrer"&gt;ISO 27001 Complete Toolkit&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Be clear about the boundary: a workbook gives you the structure, not the judgment — the applicability calls, the org-specific justifications, and the evidence have to be yours. And no template makes anyone "ISO 27001 certified"; certification comes only from an accredited body auditing a working management system.&lt;/p&gt;

&lt;p&gt;Full step-by-step walkthrough (the original of this post): &lt;a href="https://compliancedocshq.com/learn/iso-27001-statement-of-applicability" rel="noopener noreferrer"&gt;How to Write Your ISO 27001 Statement of Applicability&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>security</category>
      <category>compliance</category>
      <category>startup</category>
      <category>saas</category>
    </item>
  </channel>
</rss>
