A Statement of Applicability (SoA) is a required ISO 27001 document listing all Annex A controls, stating whether each applies to the organization, and providing justification for inclusions and exclusions. The SoA is a primary document auditors review to assess control selection. Excluding a control requires justification based on risk assessment - not simply that the control is difficult to implement.
Keep Exploring