Statement of Applicability (SoA)

ISO 27001 customers know creating a Statement of Applicability (SoA) is a fundamental step in managing risk. It's also how you'll explain to an auditor your approach to each Annex A control.

Comply lets you create a Statement of Applicability in-app and export it to CSV to share with auditors. This feature isn't just useful for ISO customers - no matter what frameworks you manage in Comply, you can keep track of which requirements are applicable or not, your justifications, and whether each requirement has been implemented or not.

To create an Statement of Applicability:

  • Click on Frameworks in the GRC dropdown
  • Click on a framework (CCPA, HIPAA, SOC 2, ISO, etc.)

What you'll see is a dashboard for evidence and a list with every requirement for that framework:


You can edit the "Justification" (for inclusion or exclusion of the requirement from your policy manual), the "Applicability" of each requirement, and whether the controls that you've mapped to that requirement have been "Implemented" or not.

When you're ready, click "Export" to produce a .csv of your SoA. Statements of Applicability should be version controlled, so you should name your SoA export with a timestamp and version number.


A note on terminology: Requirements and Controls

Some frameworks, like ISO, use the term "controls" to refer to their requirements (e.g., "Annex A Controls"). We use the term "requirements" to disambiguate something in a framework from your own "internal controls." We use the term "Internal Controls," or "Controls" for short, to refer to the basic protections that you enumerate in your policy manual and which map to various framework requirements.