The ISO/IEC 42001 Statement of Applicability
- The SoA is the single most-important document in the AIMS.
- For every Annex A control: applies or excluded, with rationale; if applies, implementation reference and residual risk.
- Missing rationale for exclusion is the most common Stage 1 finding on the SoA.
- The SoA must trace to real records, not just to policy documents.
- Auditors look for the SoA first; keep it accurate, dated and sealed.
- General information, not legal advice. Current as of July 2026.
What the SoA is for
The Statement of Applicability is the auditable expression of your risk-treatment decisions. It reconciles the standard's reference controls against your actual context. For each control, it makes a defensible statement: this applies and here is how; this does not apply and here is why; this applies partly and this is the residual risk we accept.
What each row must show
- The control identifier (thematic reference — not the verbatim control text, which is copyrighted).
- Applicability decision — applies or excluded.
- Rationale — the reason for the decision, referenced to context and risk.
- If applicable: the implementation reference — the policy, process or record where the control lives.
- The residual risk after treatment, and its acceptance owner.
What auditors look for
Certification bodies read the SoA before anything else because it exposes the shape of the whole management system. They look for three things: every Annex A control has an applicability decision; every excluded control has a rationale that is defensible in the organisation's context; every applicable control traces to a real, dated, operated record rather than to a policy document that has never been executed. An SoA that fails any of those tests fails Stage 1.
Common SoA failures
- Controls left blank or with a placeholder decision.
- Exclusions without rationale, or with a rationale that says only 'not applicable'.
- Implementation references pointing to policies with no operating record.
- SoA never dated or version-controlled — the auditor cannot tell what is current.
- SoA not signed off by leadership.
Why we describe it thematically
This article describes Annex A controls thematically rather than reproducing their text. The controls are part of a formal, copyrighted international standard. For the authoritative wording, consult ISO/IEC 42001 directly through the ISO portal or a national standards body.
Key terms
- Statement of Applicability (SoA)
- The auditable document setting out each Annex A control's applicability, rationale and implementation.
- Residual risk
- The risk that remains after controls are applied; must be accepted by an appropriate owner.