Instant Statement of Applicability Export: PDF & Excel in Seconds
Published: • 4 min read
Generate audit-ready ISO 27001 Statement of Applicability reports instantly. Export to PDF or Excel with complete control mapping, implementation status, risk linkage, and evidence tracking - all in seconds.
What is a Statement of Applicability?
The Statement of Applicability (SOA) is a mandatory document for ISO 27001 certification. It's a comprehensive list showing which security controls from Annex A you've implemented and why. Think of it as your "control inventory" - it proves to auditors that you've reviewed all 93 ISO 27001:2022 controls, decided which ones apply to your organization, documented why controls are included or excluded, tracked implementation status for each control, and linked controls to risks and evidence.
Why the SOA is Critical for ISO 27001
Without a proper SOA, you cannot get ISO 27001 certified. It's typically the first document auditors review, and they will verify that all 93 controls are addressed (whether applicable or not), check your justifications for excluded controls, validate that controls marked "implemented" have supporting evidence, and cross-reference controls to your risk assessment. The problem? Creating and maintaining an SOA manually in spreadsheets is time-consuming, error-prone, and painful to update.
What's New in RiskRegister.ai?
📄 Instant PDF Generation
Generate a professional, audit-ready SOA in PDF format with one click. The report includes your organization details and generation date, a complete list of all 93 ISO 27001:2022 Annex A controls, implementation status (Implemented, Not Implemented, or Partially Implemented), applicability decisions with justifications for exclusions, the number of risks addressed by each control, and the number of documents supporting each control.
📊 Excel Export for Analysis
Need to analyze your controls or share with stakeholders? Export to Excel with sortable columns that let you filter by status, framework, or applicability. The data is pivot-ready so you can create custom reports and dashboards, making it easy to email to management or consultants. You can quickly identify controls needing attention for gap analysis.
🎯 Real-Time Data
Your SOA is always up-to-date because it's generated from live data. Control implementation status updates automatically, risk counts reflect your current risk register, and evidence counts update when you upload documents. No manual spreadsheet updates are ever needed.
What the Report Looks Like
Statement of Applicability (ISO 27001:2022)
Organization: demo@riskregister.ai
Generated: 2026-01-23
| Framework Ref | Control | Applicable | Status | Risks | Evidence |
|---|---|---|---|---|---|
| ISO27001 A.5.1 | Information security policies | Yes | Not Implemented | 0 | 0 |
| ISO27001 A.5.2 | Information security roles and responsibilities | Yes | Implemented | 0 | 0 |
| ISO27001 A.5.3 | Segregation of duties | Yes | Not Implemented | 0 | 0 |
Sample showing 3 of 93 controls
How It Saves You Time
Manual SOA creation typically takes 4-8 hours of tedious spreadsheet work. With RiskRegister.ai, you can generate the same report in 2 seconds. Your SOA is always audit-ready because you can generate a fresh version before every audit with the latest data. Changes to controls automatically reflect in the next export, so there's no manual updating required. You can also export monthly to track your implementation progress over time, showing auditors and management how your compliance program is maturing.
Getting Started
💡 Pro Tip: Export your SOA monthly and save it with the date. This creates a historical record showing your compliance journey - auditors love seeing progress over time.
Ready to Generate Your SOA?
Create your ISO 27001 Statement of Applicability in seconds.
Start Free Trial