Contact us

The Statement of Applicability, Reimagined: Justifying Annex A Controls with Data

by Michael Foster, Principal Security Consultant

If the ISMS is the body of ISO 27001, the Statement of Applicability (SoA) is its spine. It declares which of the Annex A controls apply, which don't, and—critically—why. The 2022 revision streamlined Annex A to 93 controls across four themes (Organizational, People, Physical, Technological), but it raised the bar on justification. Auditors no longer accept "applicable because best practice."

At NOXMON, we use the RISKMON platform to make every line of the SoA defensible with evidence.

The Three Questions Every SoA Must Answer

For each Annex A control, ISO 27001 effectively asks:

  • Is it applicable? And if not, why is its exclusion safe?
  • Is it implemented? What is the current state of the control?
  • Is it justified? Which risks does it treat, and by how much?

Qualitative programs struggle with the third question. RISKMON answers it directly by linking each control to the risk scenarios it mitigates and the resulting reduction in quantified loss exposure.

Control Selection as a Portfolio Decision

We treat Annex A like an investment portfolio. RISKMON ranks candidate controls by their return on risk reduction—how much annualized loss exposure each removes per dollar of implementation cost. That lets clients sequence their roadmap intelligently instead of implementing all 93 controls at once.

Annex A controls in ISO 27001:2022
93
Control themes to organize the SoA
4
Of inclusions and exclusions justified by quantified risk
100%

Traceability Auditors Trust

The strongest SoA tells a continuous story: each risk in the register links to a treatment decision, each treatment to one or more Annex A controls, and each control to operating evidence. NOXMON builds that chain inside RISKMON so that during Stage 2, your auditor can follow any thread end-to-end without a single missing link.

Top tip

Document the reason for every exclusion as carefully as every inclusion. A well-reasoned exclusion backed by RISKMON's risk data is far more credible than blanket adoption you can't operate.

The Bottom Line

A great SoA isn't longer—it's better justified. By grounding Annex A selection in quantified risk through RISKMON, NOXMON helps organizations build a Statement of Applicability that accelerates certification and doubles as a prioritized security roadmap.

Ready to make your SoA a strategic asset instead of an audit liability? NOXMON can help.

More articles

Cyber Risk Assessments in Action: Use Cases Across Frameworks

See how NOXMON turns cyber risk assessments into quantified financial insight across CMMC, FFIEC, NYDFS, ISO 27001, NIST 800-53, PCI DSS, and NIST CSF using RISKMON.

Read more

Third-Party Risk Management in Practice: Real-World Use Cases

See how NOXMON applies a RISKMON-driven third-party risk lifecycle — tiering, due diligence, continuous monitoring, and remediation — to quantify vendor exposure in dollars across real-world client scenarios.

Read more

Tell us about your project

Schedule a ConsultationContact Us

Our offices

  • Houghton
    Houghton, MI 49931
    (212) 913-9184
    info@noxmon.com
  • New York City
    New York, NY 10011
    (212) 913-9184
    info@noxmon.com