The Statement of Applicability is the bridge between your risk assessment and your control implementation. Required by clause 6.1.3 of ISO 27001, it is one of the documents the auditor asks for first.
For each of the 93 controls in Annex A, the SoA records four things. Whether the control is applied. The justification for applying it (or for not applying it). The evidence that demonstrates it operates as intended. And, if applicable, a reference to the procedure or system that gives the control its effect.
The SoA is treated as living documentation. It is updated when the risk assessment changes, when a new system is introduced, or when a control's evidence base shifts. A common audit finding is that the SoA was generated once at certification and never revisited; the certificate gets withdrawn or the surveillance audit raises a major non-conformity.
The trick is keeping the SoA aligned with the risk register. The Askara Solutions agent treats the SoA as a derived view: when a risk is added or a control's status changes, the SoA reflects it without a manual rewrite, so the document on file always matches the controls actually in operation.