ISMS Copilot
ISMS Copilot

Generating an ISO 27001 Statement of Applicability

Produce a defensible SoA that satisfies clause 6.1.3 d) with justified inclusions and exclusions.

Start Free TrialSee it in action

Generating a defensible Statement of Applicability

Clause 6.1.3 d) of ISO 27001:2022 requires an SoA that lists the necessary controls, justifies their inclusion, states their implementation status, and justifies the exclusion of any Annex A controls. Auditors challenge SoAs where exclusions are unjustified or applicability is asserted without a link to the risk treatment plan. ISMS Copilot starts from the 93 Annex A:2022 controls across the four themes, ties each applicability decision to the risk assessment and treatment outputs, and drafts inclusion and exclusion justifications in language that references the threat, the treatment option chosen and the residual risk owner. It tracks implementation status per control and keeps the SoA consistent with the risk treatment plan so the two documents do not contradict each other at audit. The output is a working draft for the ISMS owner to review and approve; control selection and risk acceptance remain management decisions, not automated ones.

Explore the ISO 27001 Copilot →

Free SoA generator and Annex A finder

Want a first pass before the ISMS owner refines it? The free ISO 27001 SoA Generator produces a starter Statement of Applicability over all 93 Annex A:2022 controls (applicable, excluded or partial with justification) from the same control dataset — a draft to react to, not an approved SoA.

Open the free ISO 27001 SoA Generator →

Frequently Asked Questions

What does clause 6.1.3 d) require in an SoA?

It requires the necessary controls with justification for inclusion, their implementation status, and justification for excluding any Annex A controls. ISMS Copilot structures the SoA so each of these elements is explicit and traceable to the risk treatment plan.

How are exclusions justified?

Each excluded Annex A:2022 control gets a documented rationale tied to scope or the risk assessment, for example a control not relevant because the organization does not perform that activity. Unjustified exclusions are the most common SoA audit finding, so the Copilot prompts for a defensible reason.

Does it decide which controls apply?

No. The Copilot drafts justifications and tracks status from your risk assessment, but control selection and risk acceptance are management decisions. The ISMS owner reviews and approves the SoA before it is used as audit evidence.

Ready to streamline your compliance work?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0