Module · Compliance Enablers

StatementofApplicability

Annex A, Decided, Justified, and Always Audit-Ready

The Statement of Applicability is the single document every ISO 27001 auditor reads first — and the one most teams still maintain in a fragile spreadsheet. Manage applicability decisions and justifications for every Annex A control, track implementation status from not started through effective, and keep the SoA permanently in sync with your control library and risk treatment plan. This is core ISMS machinery that checkbox compliance tools simply do not model.

All Modules
Before → After

The problem we solve.

Why teams switch to Compliance Enablers for statement of applicability.

Industry challenges

  • The SoA is a 93-row spreadsheet that breaks every time Annex A is touched
  • Justifications written once for certification and never revisited as the business changes
  • No connection between SoA decisions and the actual state of controls — status is guesswork
  • Each surveillance audit triggers a scramble to reconcile the SoA against reality

How we solve it

  • Pre-filled Annex A register with applicability, justification, and status per control
  • Living implementation status from Not Started to Effective, maintained continuously
  • SoA decisions linked to controls and risk treatment in the same data model
  • Matrix view exposes gaps and stale decisions long before the audit does
Capabilities

Built for depth,
out of the box.

Every capability is production-ready on day one. No add-ons, no extra subscriptions.

Flagship capability

Annex A Pre-Fill

Start from the full ISO 27001:2022 Annex A control set — from policies for information security through supplier relationships — instead of retyping control titles into a spreadsheet.

Applicability Decisions with Justifications

Mark each control applicable or not applicable and record the justification beside the decision, exactly the way certification auditors expect to read it.

Implementation Status Tracking

Track each applicable control from Not Started through In Progress, Implemented, and Effective — so the SoA reflects reality, not aspiration.

Annex A Matrix View

See the entire Annex A landscape in a single matrix — applicability, status, and gaps at a glance for management review and audit preparation.

Connected to Risk Treatment

SoA decisions sit in the same system as your risks and controls, keeping inclusion and exclusion rationale consistent with the risk treatment plan.

The impact

Why it matters.

Produce the document auditors scrutinize hardest without a single spreadsheet formula
Every exclusion carries a written justification — no awkward silences in the audit room
Implementation status rolls up live, showing exactly how far you are from effective
SoA stays consistent with the control library and risk register because it shares their data
Surveillance audits reuse the same living SoA instead of triggering an annual rebuild
Unified data model

Part of a connected whole.

Statement of Applicability shares a unified data model with every other module. Zero silos, by design.

Controls Library
Compliance & Standards
Risk Management
Explore all 52 modules
14-day free trial · no card required

See Statement of Applicability
in action.

Book a 30-minute demo and we'll walk you through statement of applicability tailored to your team, frameworks, and priorities.

Book a Demo