The document that lists every ISO/IEC 27001 Annex A control, states whether it applies, and justifies each inclusion or exclusion.
The Statement of Applicability (SoA) is a central ISO/IEC 27001 document. It records the result of risk treatment: which Annex A controls the organization has selected, the reasons for selecting them, whether they are implemented, and a justification for any control left out.
Auditors treat the SoA as a map of the ISMS. It connects identified risks to the specific controls chosen to address them, which makes it one of the first documents reviewed in a certification audit.
Related frameworks
KaitoSec