What clause 6.1.3 actually demands
After assessing risks and choosing treatments, you must produce a Statement of Applicability that contains: the controls you determined necessary (from Annex A or anywhere else), justification for their inclusion, their implementation status, and justification for excluding any Annex A control. Necessary controls can come from other frameworks, contracts, or your own design; Annex A functions as the completeness checklist you compare against so nothing necessary is overlooked.
Why auditors treat it as the master document
The SoA is where an auditor tests whether your ISMS is one connected system or three disconnected artifacts. The standard trace: risk register entry, to treatment decision, to SoA control marked applicable, to the control operating in the real world, to evidence. Breaks in that chain are findings. Common ones: controls marked "implemented" that are aspirational, justifications copy-pasted from a template that mention departments you do not have, and an SoA version that predates your latest risk assessment, proving the two documents do not talk to each other.
Building one that holds up
- Structure: a table with control ID and name, applicable yes or no, justification tied to specific risks or requirements, implementation status, and where evidence lives. One line each, in your own words.
- Version it meaningfully. The SoA changes when your risk assessment changes, when incidents teach you something, and when scope moves. A two-year-old SoA in a company that shipped ten product changes is self-incriminating.
- Keep it honest about status. "Partially implemented, completion Q3" is a legitimate SoA entry before certification and shows a working system; "implemented" that fails sampling is a nonconformity plus a credibility wound that colors the rest of the audit.
One practical tip from the audit chair
Write justifications a stranger could verify: name the risk, the customer requirement, or the law that makes the control necessary. When every line of the SoA points at something real, Stage 1 becomes a table read instead of an interrogation, and Stage 2 auditors arrive already trusting your system's internal logic.