ISO 27001 has plenty of mandatory requirements to achieve alignment and certification, but these actually refer to the system and not to the controls in place to actually make the system work and protect information security. This protects the vendor-neutral nature of ISO 27001, as a one person organisation can pursue the same goals as a massive consultancy, and they can weigh up which controls are most suitable to them in order to implement their ISMS. At the end of ISO 27001, [[Annex A]] outlines a bunch of controls that **may** be used to manage the objectives of the org and of the ISMS, and so a Statement of Applicability is simply the statement of whether these controls are applicable (relevant) to the authoring organisation. There's an absolutely massive list of controls available in [[The ISO 27000 Family#ISO 27002|ISO 27002]] and they get explained in a lot more detail. An absolutely cracking SoA is available via the iso27001security ISO 27001 Toolkit, which I'll link to [here](https://www.iso27001security.com/html/toolkit.html). It's in the form of an Excel spreadsheet and comes bundled with a table on the mandatory requirements of an ISMS.