Chapter Overview
The Statement of Applicability (SoA) is a mandatory document required by Clause 6.1.3. It lists all 39 Annex A controls and states whether each is applicable to your AIMS, with justification for any exclusions.
SoA Requirement
Clause 6.1.3 requires:
"The organization shall produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A."
Purpose of the SoA
Why the SoA Matters
| Purpose | Description |
|---|
| Completeness Check | Ensures all 39 controls have been considered |
| Justification Record | Documents rationale for control decisions |
| Implementation Tracking | Shows status of each control |
| Audit Reference | Key document for certification audits |
| Scope Definition | Defines control scope within AIMS |
| Communication Tool | Communicates control framework to stakeholders |
SoA Content Requirements
Required Elements
| Element | Requirement |
|---|
| Control Reference | All 39 Annex A controls must be listed |
| Control Name | Name/description of each control |
| Applicability | Whether control is applicable (Yes/No) |
| Justification for Inclusion | Why applicable controls are included |
| Justification for Exclusion | Why non-applicable controls are excluded |
| Implementation Status | Whether control is implemented (recommended) |
Optional but Recommended Elements
| Element | Purpose |
|---|
| Implementation Reference | Link to policy/procedure implementing the control |
| Risk Reference | Link to related risks in risk register |
| Responsible Party | Who is responsible for the control |
| Implementation Date | When control was/will be implemented |
| Notes | Additional context or comments |
SoA Template
Statement of Applicability Template
STATEMENT OF APPLICABILITY
Organization: [Organization Name]
AIMS Scope: [Reference to scope document]
Version: [Version number]
Date: [Date]
Approved By: [Name and role]
Column Headers:
• Control ID
• Control Name
• Applicable (Yes/No)
• Justification
• Status (Implemented/Partial/Planned/Not Implemented)
• Implementation Reference
• Notes
Complete SoA Control List
A.2 Policies for AI (2 Controls)
| ID | Control Name |
|---|
| A.2.2 | AI Policy |
| A.2.3 | Review of the Policies for AI |
A.3 Internal Organization (4 Controls)
| ID | Control Name |
|---|
| A.3.2 | Roles and Responsibilities |
| A.3.3 | Reporting |
| A.3.4 | Authorities |
| A.3.5 | Coordination |
A.4 Resources for AI Systems (4 Controls)
| ID | Control Name |
|---|
| A.4.2 | Resource Needs |
| A.4.3 | Data Resources |
| A.4.4 | Tooling Resources |
| A.4.5 | System and Computing Resources |
A.5 Assessing Impacts (4 Controls)
| ID | Control Name |
|---|
| A.5.2 | Assessing Impacts on Individuals |
| A.5.3 | Assessing Societal Impacts |
| A.5.4 | Assessment Documentation |
| A.5.5 | AI System Impact Assessment Status |
A.6 AI System Life Cycle (12 Controls)
| ID | Control Name |
|---|
| A.6.1.2 | Managing AI System Life Cycle |
| A.6.1.3 | Responsible AI |
| A.6.1.4 | AI System Life Cycle Documentation |
| A.6.2.2 | Defining Objectives |
| A.6.2.3 | Assessing Feasibility |
| A.6.2.4 | Technical Documentation |
| A.6.2.5 | Maintaining Records |
| A.6.2.6 | Engaging Interested Parties |
| A.6.2.7 | Approaches for Achieving Objectives |
| A.6.2.8 | Defining System Requirements |
| A.6.2.9 | Verification and Validation |
| A.6.2.10 | AI System Operation and Monitoring |
A.7 Data for AI Systems (5 Controls)
| ID | Control Name |
|---|
| A.7.2 | Data Acquisition |
| A.7.3 | Data Quality |
| A.7.4 | Data Provenance |
| A.7.5 | Data Preparation |
| A.7.6 | Data Management |
A.8 Information for Interested Parties (4 Controls)
| ID | Control Name |
|---|
| A.8.2 | Communication of Information to Interested Parties |
| A.8.3 | User Documentation |
| A.8.4 | Information Regarding AI Interaction |
| A.8.5 | Information for Achieving Explainability |
A.9 Use of AI Systems (3 Controls)
| ID | Control Name |
|---|
| A.9.2 | Intended Use |
| A.9.3 | Fitness for Purpose |
| A.9.4 | Human Oversight |
A.10 Third-Party and Customer Relationships (3 Controls)
| ID | Control Name |
|---|
| A.10.2 | Third Parties |
| A.10.3 | Monitoring of Third Parties |
| A.10.4 | Customers and Users |
Justification Examples
Justification for Inclusion
| Control | Justification Example |
|---|
| A.2.2 AI Policy | Required to establish AI governance framework for all AI systems in scope |
| A.7.3 Data Quality | Essential for ensuring AI model accuracy; required by risk assessment findings |
| A.9.4 Human Oversight | Required for high-risk AI systems making decisions affecting individuals |
Justification for Exclusion
| Control | Justification Example |
|---|
| A.7.5 Data Preparation | Organization only uses pre-trained third-party models with no custom training |
| A.10.2 Third Parties | No third parties involved; all AI development and operation is internal |
| A.6.2.3 Feasibility | Organization only uses established AI systems; no new development |
Valid Exclusion Reasons
Controls may be excluded if:
• Activity is not performed (e.g., no AI development)
• No applicable AI systems (e.g., no customer-facing AI)
• Function is outsourced (but A.10 controls would apply)
• Explicitly out of scope
Invalid exclusion reasons:
• "Too difficult to implement"
• "Not enough resources"
• "Not a priority"
• "Will implement later" (this is a status, not exclusion)
SoA Best Practices
Do's
- Include all 39 controls - no exceptions
- Provide specific justifications, not generic statements
- Link to risk assessment findings
- Keep SoA updated when changes occur
- Have SoA approved by appropriate authority
- Use SoA as living document
- Cross-reference implementation documents
Don'ts
- Don't exclude controls without valid justification
- Don't use vague justifications like "not applicable"
- Don't create SoA only for audit
- Don't ignore excluded controls during risk assessment
- Don't forget to update SoA when scope changes
SoA Audit Focus
Auditor Questions - SoA
• Show me your Statement of Applicability
• How did you determine control applicability?
• Justify why control [X] is excluded
• How does the SoA link to your risk assessment?
• When was the SoA last reviewed?
• Who approved the SoA?
• Show me evidence that control [X] is implemented as stated
Key Takeaways - SoA
1. SoA is a mandatory document (Clause 6.1.3)
2. Must list all 39 Annex A controls
3. Must justify both inclusions AND exclusions
4. Implementation status should be tracked
5. Link to risk assessment and treatment
6. Keep SoA updated and version controlled