Statement of Applicability

Déclaration d’applicabilité

Understand what the SoA is, why auditors care about it, and how it turns risk treatment into a control position.

Lesson overview

The Statement of Applicability lists which Annex A controls are applicable, why they are included or excluded, and how they stand in implementation.

Professional explanation

A credible SoA reflects scope, risk treatment, obligations, control applicability, justification, and implementation status in a traceable way.

Practical example

If an organization excludes a control, it should be able to explain why that exclusion is justified in its context. If a control is applicable, the organization should know the implementation status and related evidence.

Content blocks

The SoA is a decision map

La SoA est une carte de décision

It shows how the organization moved from risk and obligations to a position on control applicability and implementation.

Weak SoAs usually look generic

Les SoA faibles paraissent souvent génériques

If every control is simply marked yes without rationale, or no without explanation, the artifact stops being useful as an audit and management tool.

Examples and callouts

A SaaS company can justify extensive network, logging, and supplier controls while still explaining why some physical measures have lighter depth.

A healthcare-adjacent company should be able to link confidentiality-sensitive risks directly to applicable controls and evidence.

Do not treat the SoA as an afterthought

Ne pas traiter la SoA comme une pensée après coup

If the SoA is prepared only at the end, it often reveals that risk treatment was never truly structured.

What auditors care about

Ce qui intéresse les auditeurs

Auditors usually care about traceability, justification, implementation status, and whether the SoA matches real practice.

Interactive prompt

Take one control such as logging or supplier security and write a short applicability statement and justification for a chosen scenario.

Learning objectives

Explain the SoA in plain and professional language. / Expliquer la SoA en langage simple et professionnel.
Connect the SoA to risk treatment and scope. / Relier la SoA au traitement du risque et au périmètre.
Recognize weak SoA patterns auditors dislike. / Reconnaître les schémas de SoA faibles que les auditeurs n'apprécient pas.

Learning outcomes

Explain what the SoA does and does not do. / Expliquer ce que fait la SoA et ce qu'elle ne fait pas.
Write learner-friendly applicability justifications. / Rédiger des justifications d'applicabilité pédagogiques.
Use the SoA builder with confidence. / Utiliser le générateur de SoA avec assurance.

Key artifacts

Statement of Applicability / Déclaration d'applicabilité
Risk treatment records / Enregistrements de traitement du risque
Control evidence references / Références de preuve des mesures

Recap summary

The SoA maps risk treatment decisions to control applicability. / La SoA relie les décisions de traitement du risque à l'applicabilité des mesures.
It should include justification and implementation status. / Elle doit inclure justification et état de mise en oeuvre.
A weak SoA usually signals weak underlying governance. / Une SoA faible signale généralement une gouvernance sous-jacente faible.

Continue from here

Open the SoA builderOuvrir le générateur de SoA Browse all controlsParcourir toutes les mesures

Interactive exercise

Module checkpoint

Answer in either language. The quiz uses the same underlying concept, not literal duplicated wording.

Answered0/2

What does a strong SoA usually contain?

Why do auditors pay attention to the SoA?