ISO 27001 Statement of Applicability (SoA) Software

Control your ISO 27001 compliance with absolute clarity.
Zebsoft’s Statement of Applicability (SoA) Software transforms Annex A control management into a structured, auditable, and fully connected compliance framework.
Built for ISO 27001:2022 and aligned to real-world audit expectations, Zebsoft enables organisations to define, justify, adopt, and evidence every control — all within one integrated ISMS.

ISO 27001 Statement of Applicability software

Accountability for Every Annex A Control

In ISO 27001, the SoA is the single most important document.
Zebsoft ensures every Annex A control — and every custom control you define — has a responsible owner, justification, adoption status, and linked evidence.
Nothing is overlooked. Nothing is ambiguous. Everything is auditable.

Why Choose Zebsoft for Statement of Applicability Management

Most platforms treat the SoA as a static checklist.
Zebsoft turns it into a live governance tool that drives your entire ISMS.

With Zebsoft you can:

✅ View all Annex A controls with default guidance
✅ Mark controls as “Adopted” or “Not Applicable” with required justification
✅ Add internal/custom controls beyond Annex A
✅ Link each control to risks, documents, training, and evidence
✅ Track control performance and review cycles
✅ Use auditor-facing reports with full traceability

This is the SoA exactly as auditors expect it — only smarter, faster, and fully integrated.

Take Control of Your ISO 27001 Compliance

The SoA becomes the backbone of your ISMS:

  • Document whether controls are implemented

  • Justify exclusions or partial adoption

  • Link controls to risk treatment actions

  • Attach policies, procedures, or evidence

  • Track implementation progress

  • Demonstrate continuous improvement

With Zebsoft, the SoA is no longer a document — it’s a live, evidence-driven assurance framework.

Key Features of Zebsoft’s ISO 27001 SoA Tool

Annex A Control Library (2022 Update)

All 93 Annex A controls are preloaded and grouped into:

  • A.5: Organisational Controls

  • A.6: People Controls

  • A.7: Physical Controls

  • A.8: Technological Controls

Each includes guidance, description, and implementation expectations.

Control Status & Justification

For every control:

  • Adopted

  • Not Applicable

  • Partially Implemented

And add:

  • Mandatory justification

  • Notes

  • Context

  • Evidence requirements

Custom Controls

Add your own organisational controls for:

  • Sector requirements

  • Contractual obligations

  • Data protection controls

  • Cloud / DevOps environments

  • Supplier-specific controls

Linked Evidence & Documentation

For each control attach:

  • Policies

  • SOPs

  • Technical configs

  • Risk assessments

  • Asset registers

  • Incident logs

Risk Register Integration

Every SoA control can be linked to:

  • Risk records

  • Treatment actions

  • Residual scores

  • Controls effectiveness

Auditor Mode

Provide auditors with:

  • Controlled visibility

  • One-click evidence access

  • Control status summaries

  • Implementation notes

  • Review cycles and history

Review & Update Tracking

Automated:

  • Annual review reminders

  • Version control

  • Change logs

  • Owner notifications

What Makes Zebsoft Different

Zebsoft’s SoA tool is uniquely powerful because:

  • It allows custom controls

  • It links every control to real evidence

  • It integrates with your full ISMS

  • It uses role-based visibility

  • It supports multi-framework mapping (optional)

  • It is built for auditor engagement, not just internal use

Other systems give you a checklist.
Zebsoft gives you the beating heart of your ISMS.

Integrates Seamlessly with Other Modules

  • Risk Management: Link each control to risks and treatment plans

  • Document Control: Attach approved policies and procedures

  • Training & Competency: Assign mandatory ISMS training

  • Incident Management: Evidence response controls and prevention

  • Audit Management: Trigger control audits and produce reports

Zebsoft connects the SoA to every part of your compliance ecosystem.

Modules build your protection shield.

The SoA forms the core of your ISO 27001 protection shield — linking governance, risk, controls, documents, assets, and training into one integrated security posture.

With Zebsoft ISO 27001 Management Software, you can:

✅ Manage all Annex A controls with clarity
✅ Add custom controls for sector or client requirements
✅ Justify or exclude controls with auditable traceability
✅ Link controls to evidence, risks, training, and documents
✅ Generate auditor-ready SoA reports instantly
✅ Maintain a live, evolving ISMS that proves security governance

Zebsoft makes ISO 27001 compliance structured, traceable, and auditor-ready — every day, not just at audit time.

Who It’s For

Define applicability of each control, assign responsibilities, and link decisions to organisational risk.

Justify exclusions with supporting rationale and risk context. Maintain consistency across audits, controls, and incidents.

Upload policies, procedures, or test results to support each control’s implementation or effectiveness.

Gain oversight of strategic or high-impact changes. Approve with full context and confidence that compliance is upheld.

Access a full SoA register with status, justification, risk links, and documentation—ready for clause-by-clause inspection.

ZEBSOFT Features for Statement of Applicability

Live Annex A Control Register

Pre-loaded with ISO 27001:2022 Annex A controls—ready to assess and assign.

Applicability & Justification Fields

Log control status and rationale with configurable templates and required explanations.

Evidence & Risk Linking

Attach documents, risk assessments, or system policies to each control for audit reference.

Control Ownership Assignment

Assign control owners and track their review or implementation status.

Audit-Ready Output

Generate formatted SoA reports with real-time control status and traceability.

Review Scheduling & Change Tracking

Set recurring review intervals, track status changes, and log updates for each control.

Zebsoft’s ISO 27001 Statement of Applicability (SoA) Software provides organisations with a structured, audit-ready method for managing Annex A controls and demonstrating information-security governance.
Unlike static spreadsheets or checklist-driven systems, Zebsoft creates a living SoA, where each control is owned, justified, and linked to evidence, risks, and documentation.

Every Annex A control — and every custom control added by the organisation — includes adoption status, rationale, supporting notes, and connected compliance records. The platform enforces ISO 27001’s expectations around clarity, justification, and traceability, ensuring auditors can see exactly how controls are selected, implemented, maintained, and reviewed.

Because the Zebsoft SoA is integrated directly with your risk register, document control, training, and incident management, it becomes the central intelligence layer of your ISMS.
This turns the SoA into a dynamic governance tool rather than a static requirement — giving management, auditors, and security teams a clear, evidence-based view of control effectiveness and ongoing compliance.