Statement of Applicability software
The Statement of Applicability (SoA) is the document an ISO 27001 auditor reaches for first. Vulny lets you build and maintain it across all 93 Annex A controls — without a spreadsheet.
All 93 Annex A controls
Mark each ISO 27001:2022 Annex A control as applicable or not, record your justification and implementation status, and keep it all in one structured place that stays consistent with your risk register.
Linked to risks and findings
Your SoA does not live in isolation — it connects to the risks and the real vulnerability findings in the same platform, so applicability decisions are backed by evidence.
Audit-ready export
Export your Statement of Applicability as a branded PDF or DOC for auditors and management in a click — no formatting work, no version chaos.
Frequently asked questions
What is a Statement of Applicability?
The Statement of Applicability (SoA) lists every ISO 27001 Annex A control, states whether it applies to your organisation, and justifies why — it is a mandatory ISO 27001 document.
How many controls are in the SoA?
ISO 27001:2022 Annex A has 93 controls. Vulny lets you record applicability, justification and status for all of them.
Can I export the SoA for my auditor?
Yes — export a branded PDF or DOC of your Statement of Applicability in a click.
See it on your own site
Run one scan for security, SEO and AI-search (GEO) — and get a branded, ISO 27001 ready PDF report.
Scan my site →