Hael
Sign inRequest a demo
ISO/IEC 42001 · Implementation

The ISO/IEC 42001 Statement of Applicability

Updated 12 July 2026 · 6 min read
Key takeaway
The Statement of Applicability (SoA) is the centrepiece document of an ISO/IEC 42001 AIMS. It sets out, for every Annex A reference control, whether the control applies, why or why not, how it is implemented, and what residual risk the organisation accepts. A certification body reads the SoA first because it exposes the shape of the whole management system. An SoA that leaves controls without an applicability decision, or excludes controls without documented rationale, is the fastest way to fail Stage 1.
  • The SoA is the single most-important document in the AIMS.
  • For every Annex A control: applies or excluded, with rationale; if applies, implementation reference and residual risk.
  • Missing rationale for exclusion is the most common Stage 1 finding on the SoA.
  • The SoA must trace to real records, not just to policy documents.
  • Auditors look for the SoA first; keep it accurate, dated and sealed.
  • General information, not legal advice. Current as of July 2026.

What the SoA is for

The Statement of Applicability is the auditable expression of your risk-treatment decisions. It reconciles the standard's reference controls against your actual context. For each control, it makes a defensible statement: this applies and here is how; this does not apply and here is why; this applies partly and this is the residual risk we accept.

What each row must show

  • The control identifier (thematic reference — not the verbatim control text, which is copyrighted).
  • Applicability decision — applies or excluded.
  • Rationale — the reason for the decision, referenced to context and risk.
  • If applicable: the implementation reference — the policy, process or record where the control lives.
  • The residual risk after treatment, and its acceptance owner.

What auditors look for

Certification bodies read the SoA before anything else because it exposes the shape of the whole management system. They look for three things: every Annex A control has an applicability decision; every excluded control has a rationale that is defensible in the organisation's context; every applicable control traces to a real, dated, operated record rather than to a policy document that has never been executed. An SoA that fails any of those tests fails Stage 1.

Common SoA failures

  • Controls left blank or with a placeholder decision.
  • Exclusions without rationale, or with a rationale that says only 'not applicable'.
  • Implementation references pointing to policies with no operating record.
  • SoA never dated or version-controlled — the auditor cannot tell what is current.
  • SoA not signed off by leadership.

Why we describe it thematically

This article describes Annex A controls thematically rather than reproducing their text. The controls are part of a formal, copyrighted international standard. For the authoritative wording, consult ISO/IEC 42001 directly through the ISO portal or a national standards body.

Key terms

Statement of Applicability (SoA)
The auditable document setting out each Annex A control's applicability, rationale and implementation.
Residual risk
The risk that remains after controls are applied; must be accepted by an appropriate owner.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to ISO/IEC 42001
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE