Statement of Applicability

Produce a defensible ISO 27001 Statement of Applicability

For CISOs and ISO managers who must show, control by control, that every Annex A decision is deliberate, justified, and current — without rebuilding the SoA by hand each audit.

For

CISO

ISO

ISO 27001

Book a demo Talk to a Priverion expert

The challenge

The document auditors open first is the one that drifts

The Statement of Applicability is the document an ISO 27001 auditor opens first. It has to state which Annex A controls apply, which don't, and why — and it has to match what your organization actually does today, not what it did at your last certification.

Most teams maintain it in a spreadsheet that drifts the moment controls, scope, or standards change. Conformity percentages get tallied by hand, and applicability decisions lose their justification.

So the document meant to evidence deliberate control selection becomes the thing you scramble to reconstruct the week before the audit.

What you can do

What you can do with the Statement of Applicability

Work from a dedicated SoA view mapped to ISO 27001, not a generic control list.
Mark each control applicable or not applicable per organization and per category.
Evaluate applicability conditions across built-in and external standards in one place.
See per-category applicable-control totals and conformity percentages calculated for you.
Report against the ISO 27001 SoA control set, including the 2013 set, without manual mapping.

Business outcomes

What it delivers to your program

Walk into the audit with the SoA already done — applicability and conformity are tracked live, not rebuilt the week before.
Defend every applicability decision — status recorded per control and category gives "why is this excluded?" a ready answer.
Stop hand-counting conformity — per-category percentages are computed for you, removing a recurring spreadsheet error.
Keep one SoA across multiple standards so internal and external frameworks stay tied to the same control inventory.

Built for compliance

These mappings show how the feature supports your obligations — they do not guarantee or constitute compliance.

What DPMS does	Maps to	How
Designates applicable vs. not-applicable controls	ISO 27001 (Statement of Applicability)	Per-control, per-category applicability status in a dedicated SoA view
Supports the ISO 27001 SoA control set	ISO 27001 Annex A	Built-in mapping to the control set, including the SoA 2013 set
Evaluates applicability across standards	ISO 27001	Conditions assessed for both local and external standards
Reports conformity per category	ISO 27001	Automatic applicable-control totals and conformity-percentage calculation

See how this maps to your Annex A controls — book a 30-minute demo.

Book a demo

Why Priverion

Unlike general-purpose GRC tools that hold the SoA as a standalone register, Priverion treats it as a first-class view tied to ISO 27001 — applicability and conformity percentages are computed per category from your live control data, not entered by hand.

Because the SoA sits inside one unified privacy and InfoSec platform, the controls you assess feed the same inventory your risk and compliance work already uses. The document an auditor reviews reflects the state of your controls today, without re-keying.

FAQ

Questions CISOs ask before a demo

Does this produce an ISO 27001 Statement of Applicability specifically?

Yes. DPMS provides a dedicated SoA view mapped to ISO 27001, including the SoA 2013 control set — not a generic control checklist.

Can I mark controls not applicable and keep that decision documented?

Yes. Each control is set applicable or not applicable per organization and per category, so every inclusion and exclusion is recorded for the auditor.

Are conformity percentages calculated automatically?

Yes. Applicable-control totals and conformity percentages are calculated per category for SoA reporting, removing the manual tally.

Does it work with standards beyond the built-in ISO 27001 set?

Applicability is evaluated for both built-in and external standards, so the same SoA approach extends to standards you add.

Related features

Explore related capabilities

Ready to produce an audit-ready SoA?

Book a 30-minute demo focused on the ISO 27001 Statement of Applicability — see your Annex A controls, applicability decisions, and per-category conformity in one view. Or talk to a Priverion expert about your standards.

Book a demo

The Privacy Compliance Briefing

Monthly insights on GDPR enforcement trends, Swiss FADP updates, and automation strategies for DPOs and compliance teams.

By submitting this form, you consent to us contacting you for the purpose of supplying you with information on our products and services. For further details please view our Privacy Notice.

Thank you for signing up to our newsletter. We are happy to have you on board and will keep you updated on newest developments and trends.

Oops! Something went wrong while submitting the form.

Your trusted partner for a smarter, more efficient approach to data privacy management.

Product

Priverion Platform System Status

about us

About Priverion Careers

Imprint Privacy Notice Terms of Service Refund Policy

OneTrust, TrustArc, Drata, Vanta, BigID, DataGuard, Kertos, Securiti and Sprinto are trademarks of their respective owners. Priverion Solutions AG is an independent Swiss company and is not affiliated with, sponsored by, or endorsed by any of these companies. References to these products are made under the fair-use exception for comparative advertising (Swiss UWG Arts. 3(1)(a)(b)(e); EU Directive 2006/114/EC Art. 4) for the sole purpose of informing prospective customers. Methodology and sources for comparative claims are disclosed on each page that contains them; see also our comparative advertising policy. To challenge a specific claim, write to [email protected].