--- name: iso27001-soa-drafter description: Draft an ISO/IEC 27001:2022 Statement of Applicability (SoA) for a small ISMS — with every Annex A control assessed for applicability, implementation status, justification, and reference to supporting evidence. version: 1.0.0 author: VantagePoint Networks author_url: https://www.vpnetworks.co.uk audience: ISMS Managers, CISOs, Compliance Leads, IT Managers pursuing ISO 27001 certification, auditors scoping a small-firm ISMS output_format: Formatted Markdown SoA with scope statement, all 93 Annex A controls (2022 revision) assessed, evidence-reference column, gap identification, and sign-off. license: MIT last-reviewed: 2026-04 --- # ISO 27001 SoA Drafter A Claude Code skill for producing a defensible Statement of Applicability for a small-firm ISMS — every Annex A control of ISO/IEC 27001:2022 assessed, justified, and evidence-linked, ready for a Stage 1 audit. ## How to use this skill 1. Download this `SKILL.md` file. 2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows). 3. In Claude Code, run `/iso27001-soa-drafter`. Describe the organisation and ISMS scope. Answer the clarifying questions. Receive the SoA. ## How it complements VP Focus VP Focus already ships the `runbooks/iso27001-annex-a-evidence-pack.md` — a control-by-control evidence outline. This skill produces the **SoA itself** — the living document certification bodies require, kept synchronised with the evidence pack. ## When to use this - You're scoping an ISMS for first ISO 27001 certification and the SoA is required at Stage 1. - You already have a certified ISMS and need to refresh the SoA for the 2022 revision of Annex A. - You're transitioning from ISO 27001:2013 to :2022 (93 controls in 4 themes replacing 114 in 14 categories). - An auditor has flagged the current SoA as shallow / missing justifications. - You want a small-firm-sized SoA, not a 200-page enterprise version. ## What you'll get A single Markdown document containing: - **Scope statement** (legal entity, locations, services, interfaces, exclusions) - **Version / review history** - **SoA table** — every Annex A 2022 control (A.5 Organisational, A.6 People, A.7 Physical, A.8 Technological) with: applicability, implementation status, justification for inclusion/exclusion, evidence reference, owner - **Controls excluded** summary with documented justifications - **Gap register** for any applicable-but-not-yet-implemented control - **Sign-off** page ## Clarifying questions I will ask you 1. **Legal entity and registered address?** 2. **ISMS scope definition** (whole organisation, specific site, specific product line)? 3. **Headcount in scope?** 4. **Primary services in scope?** 5. **Exclusions from scope** (and why)? 6. **Locations in scope?** 7. **Key information assets** (customer data, intellectual property, financial records)? 8. **Existing certifications** (ISO 9001, Cyber Essentials, SOC 2, etc.)? 9. **Stage 1 target date?** 10. **External certification body selected?** 11. **Existing ISMS policies** (IS Policy, Acceptable Use, Access Control, etc.)? 12. **Are all 93 controls expected to apply**, or do you expect some exclusions (rare for most orgs)? ## Output template ```markdown # Statement of Applicability — **ISMS scope:** **Standard:** ISO/IEC 27001:2022 **SoA version:** 1.0 · **Effective:** · **Next review:** **Owner:** · **Approved by:** ## 1. ISMS Scope ## 2. SoA Structure ISO 27001:2022 Annex A contains 93 controls across 4 themes: - A.5 Organisational controls (37) - A.6 People controls (8) - A.7 Physical controls (14) - A.8 Technological controls (34) For each control we record: - **Applicable?** (Yes / No — if No, justification) - **Implementation status** (Implemented / Partially / Planned) - **Justification** for inclusion (why it matters to us) - **Evidence reference** (policy / system / audit / log) - **Owner** --- ## 3. SoA Table ### A.5 Organisational controls | # | Control | Applicable? | Status | Justification | Evidence | Owner | |---|---|---|---|---|---|---| | A.5.1 | Policies for information security | Yes | Implemented | Foundation of ISMS | IS Policy v | ISMS Mgr | | A.5.2 | Information security roles and responsibilities | Yes | Implemented | Accountability matrix | Organisation chart + role descriptions | HR | | A.5.3 | Segregation of duties | Yes | Implemented | Reduce single-point risk | Role-matrix + privileged-access register | IT | | A.5.4 | Management responsibilities | Yes | Implemented | Top management engagement | Minutes of ISMS Steering Group | MD | | A.5.5 | Contact with authorities | Yes | Implemented | ICO, NCSC, law enforcement contacts documented | Contacts register | DPO | | A.5.6 | Contact with special interest groups | Yes | Implemented | Sector threat intelligence | Membership register | CISO | | A.5.7 | Threat intelligence | Yes | Implemented | Risk-informed decisions | Threat-intel feed + monthly review | CISO | | A.5.8 | Information security in project management | Yes | Implemented | Security in SDLC / projects | Project governance doc | PMO | | A.5.9 | Inventory of information and other associated assets | Yes | Implemented | Asset register | Asset register v | IT | | A.5.10 | Acceptable use of information and other associated assets | Yes | Implemented | AUP | AUP v | HR | | A.5.11 | Return of assets | Yes | Implemented | Leaver process | Leaver checklist | HR | | A.5.12 | Classification of information | Yes | Implemented | Public/Internal/Confidential/Restricted | Classification policy | DPO | | A.5.13 | Labelling of information | Yes | Implemented | Sensitivity labels in M365 | Label policy + enforcement evidence | IT | | A.5.14 | Information transfer | Yes | Implemented | Secure transfer rules | Transfer policy | IT | | A.5.15 | Access control | Yes | Implemented | Access-control policy | ACP v | IT | | A.5.16 | Identity management | Yes | Implemented | Joiner/mover/leaver process | JML workflow | HR+IT | | A.5.17 | Authentication information | Yes | Implemented | Password + MFA policy | Password policy, MFA evidence | IT | | A.5.18 | Access rights | Yes | Implemented | Access-rights register | Register + review evidence | IT | | A.5.19 | Information security in supplier relationships | Yes | Implemented | Supplier policy + DPAs | Supplier register | Procurement | | A.5.20 | Addressing information security within supplier agreements | Yes | Implemented | DPA / contract clauses | Template contract clauses | Legal | | A.5.21 | Managing information security in the ICT supply chain | Yes | Implemented | Supply-chain risk framework | Risk assessment per supplier | CISO | | A.5.22 | Monitoring, review and change management of supplier services | Yes | Implemented | Supplier performance reviews | Quarterly review minutes | Procurement | | A.5.23 | Information security for use of cloud services | Yes | Implemented | Cloud-use policy + CASB | Cloud policy | IT | | A.5.24 | Information security incident management planning and preparation | Yes | Implemented | IR plan | IR runbook | CISO | | A.5.25 | Assessment and decision on information security events | Yes | Implemented | Triage procedure | IR triage workflow | SOC | | A.5.26 | Response to information security incidents | Yes | Implemented | IR playbooks | Playbook library | CISO | | A.5.27 | Learning from information security incidents | Yes | Implemented | Post-incident reviews | PIR register | CISO | | A.5.28 | Collection of evidence | Yes | Implemented | Forensic readiness | Evidence policy | CISO | | A.5.29 | Information security during disruption | Yes | Implemented | BCP linkage | BCP v | COO | | A.5.30 | ICT readiness for business continuity | Yes | Implemented | DR plan | DR runbook | IT | | A.5.31 | Legal, statutory, regulatory and contractual requirements | Yes | Implemented | Compliance register | Register + legal review | DPO/Legal | | A.5.32 | Intellectual property rights | Yes | Implemented | IP policy | IP policy | Legal | | A.5.33 | Protection of records | Yes | Implemented | Retention schedule | Retention schedule v | DPO | | A.5.34 | Privacy and protection of personal identifiable information (PII) | Yes | Implemented | Data Protection Policy | DPP + RoPA | DPO | | A.5.35 | Independent review of information security | Yes | Implemented | Annual internal audit + external certification | Audit reports | ISMS Mgr | | A.5.36 | Compliance with policies, rules and standards for information security | Yes | Implemented | Policy-compliance audits | Internal audit calendar | ISMS Mgr | | A.5.37 | Documented operating procedures | Yes | Implemented | Runbook library | Runbook repository | IT | ### A.6 People controls | # | Control | Applicable? | Status | Justification | Evidence | Owner | |---|---|---|---|---|---|---| | A.6.1 | Screening | Yes | Implemented | Pre-employment checks | HR screening policy | HR | | A.6.2 | Terms and conditions of employment | Yes | Implemented | Confidentiality clauses in contract | Template contract | HR | | A.6.3 | Information security awareness, education and training | Yes | Implemented | Induction + annual + phishing sim | Training records | HR + CISO | | A.6.4 | Disciplinary process | Yes | Implemented | HR policy covers infosec breaches | Disciplinary procedure | HR | | A.6.5 | Responsibilities after termination or change of employment | Yes | Implemented | Leaver policy | Leaver checklist | HR | | A.6.6 | Confidentiality or non-disclosure agreements | Yes | Implemented | NDAs for staff and key suppliers | NDA templates | Legal | | A.6.7 | Remote working | Yes | Implemented | Remote-working policy | Policy v | IT | | A.6.8 | Information security event reporting | Yes | Implemented | Incident reporting channels | Reporting guidance | CISO | ### A.7 Physical controls | # | Control | Applicable? | Status | Justification | Evidence | Owner | |---|---|---|---|---|---|---| | A.7.1 | Physical security perimeters | Yes | Implemented | Office access controls | Access policy + photos | Facilities | | A.7.2 | Physical entry | Yes | Implemented | Keycard system | Access logs | Facilities | | A.7.3 | Securing offices, rooms and facilities | Yes | Implemented | Lockable rooms for sensitive material | Facilities map | Facilities | | A.7.4 | Physical security monitoring | Yes | Implemented | CCTV + alarm | CCTV procedure | Facilities | | A.7.5 | Protecting against physical and environmental threats | Yes | Implemented | Fire suppression, flood, climate | Facilities inspection | Facilities | | A.7.6 | Working in secure areas | Yes | Implemented | Clean-desk, screen-lock | Clean-desk policy | HR | | A.7.7 | Clear desk and clear screen | Yes | Implemented | Policy + screen-lock timeout | Screen-lock enforcement evidence | IT | | A.7.8 | Equipment siting and protection | Yes | Implemented | Server room access controls | Server room procedure | IT | | A.7.9 | Security of assets off-premises | Yes | Implemented | Laptop / mobile device policy | Device policy | IT | | A.7.10 | Storage media | Yes | Implemented | Media-handling policy | Policy | IT | | A.7.11 | Supporting utilities | Yes | Implemented | UPS, dual power where applicable | Facilities report | Facilities | | A.7.12 | Cabling security | Yes | Implemented | Structured cabling standards | Cabling standards | IT | | A.7.13 | Equipment maintenance | Yes | Implemented | Maintenance contracts | Supplier register | IT | | A.7.14 | Secure disposal or reuse of equipment | Yes | Implemented | Disposal procedure + certificates | Disposal records | IT | ### A.8 Technological controls | # | Control | Applicable? | Status | Justification | Evidence | Owner | |---|---|---|---|---|---|---| | A.8.1 | User endpoint devices | Yes | Implemented | Endpoint management + MDM | MDM compliance report | IT | | A.8.2 | Privileged access rights | Yes | Implemented | PIM / JIT / separate admin accounts | PIM config + audit | IT | | A.8.3 | Information access restriction | Yes | Implemented | RBAC | Access matrix | IT | | A.8.4 | Access to source code | Yes | Implemented | Source-control access control | SCM audit | Eng Lead | | A.8.5 | Secure authentication | Yes | Implemented | MFA + Conditional Access | CA export | IT | | A.8.6 | Capacity management | Yes | Implemented | Monitoring + capacity reviews | Capacity reports | IT | | A.8.7 | Protection against malware | Yes | Implemented | EDR | EDR coverage report | IT | | A.8.8 | Management of technical vulnerabilities | Yes | Implemented | Vuln scanning + patching | Scan reports + patch compliance | IT | | A.8.9 | Configuration management | Yes | Implemented | IaC + configuration baselines | Config management evidence | IT | | A.8.10 | Information deletion | Yes | Implemented | Retention + deletion procedure | Deletion evidence | DPO | | A.8.11 | Data masking | Yes | Implemented (where needed) | Sensitive data masked in non-prod | Masking evidence | IT | | A.8.12 | Data leakage prevention | Yes | Implemented | DLP policies | DLP policy evidence | IT | | A.8.13 | Information backup | Yes | Implemented | Backup procedure + restore tests | Backup test reports | IT | | A.8.14 | Redundancy of information processing facilities | Yes | Implemented | HA + multi-AZ where relevant | Architecture diagrams | IT | | A.8.15 | Logging | Yes | Implemented | Centralised logging | Log platform evidence | SOC | | A.8.16 | Monitoring activities | Yes | Implemented | SIEM + alerts | SIEM rule set | SOC | | A.8.17 | Clock synchronisation | Yes | Implemented | NTP | NTP config | IT | | A.8.18 | Use of privileged utility programs | Yes | Implemented | Controlled, logged | Usage logs | IT | | A.8.19 | Installation of software on operational systems | Yes | Implemented | Change control + allow-list | Change records | IT | | A.8.20 | Networks security | Yes | Implemented | Firewall + segmentation | Network architecture | IT | | A.8.21 | Security of network services | Yes | Implemented | Service-level controls | Network service inventory | IT | | A.8.22 | Segregation of networks | Yes | Implemented | VLANs + zones | Network design | IT | | A.8.23 | Web filtering | Yes | Implemented | DNS / proxy filtering | Filter logs | IT | | A.8.24 | Use of cryptography | Yes | Implemented | Cryptography policy | Policy v | CISO | | A.8.25 | Secure development life cycle | Yes | Implemented (if develops) | SDLC doc | SDLC policy | Eng Lead | | A.8.26 | Application security requirements | Yes | Implemented (if develops) | Security requirements in SDLC | Evidence | Eng Lead | | A.8.27 | Secure system architecture and engineering principles | Yes | Implemented | Architecture principles | Principles doc | Architect | | A.8.28 | Secure coding | Yes | Implemented (if develops) | Secure-coding standards | Training + PR-checks | Eng Lead | | A.8.29 | Security testing in development and acceptance | Yes | Implemented (if develops) | Security testing in CI | CI evidence | Eng Lead | | A.8.30 | Outsourced development | | | | | | | A.8.31 | Separation of development, test and production environments | Yes | Implemented | Env separation | Architecture | IT | | A.8.32 | Change management | Yes | Implemented | Change process (CAB) | Change records | IT | | A.8.33 | Test information | Yes | Implemented | Masked / synthetic test data | Test-data policy | IT | | A.8.34 | Protection of information systems during audit testing | Yes | Implemented | Audit-support procedures | Audit procedure | ISMS Mgr | ## 4. Excluded Controls (if any) List controls marked "Not applicable" with justification. Rare; typically only for organisations that genuinely don't develop software (A.8.25-A.8.30 subset) or don't have physical premises (A.7.x subset). ## 5. Gap Register Any control marked "Partially" or "Planned": | Control | Status | Gap | Remediation | Owner | Target | |---|---|---|---|---|---| | A.5.7 Threat intelligence | Partially | No formal monthly review | Establish monthly threat-intel review | CISO | | | A.8.8 Vulnerability management | Partially | Quarterly scanning, not continuous | Move to monthly scanning + agent-based | IT | | ## 6. Sign-Off **Top management approval:** ____________________________ Date: __________ **ISMS Manager:** ____________________________ Date: __________ ``` ## Example invocation **User:** "45-person London fintech pursuing ISO 27001. First certification. We develop our own SaaS. Hosted on AWS. All staff UK. Stage 1 audit in 4 months." **What the skill will do:** 1. Ask 12 questions, drilling on: scope (whole company or product-side only), whether in-house development is in-scope (yes — implicates A.8.25-A.8.29), whether any processes are outsourced (A.8.30). 2. Produce the SoA marking all 93 controls applicable (typical for a software-developing fintech). 3. Populate evidence references tied to the firm's existing policies where known; flag where evidence needs creating before Stage 1. 4. Gap register likely highlights: formal threat-intelligence process, evidence of independent review (first-time certification means no prior external review), documented secure-coding standards if only informal. 5. Produce a Stage-1-aligned checklist: "by Stage 1, every cell in the Evidence column must point to a real, accessible artefact." ## Notes for the requester - **Don't mark controls "Not applicable" to reduce scope.** Auditors scrutinise exclusions heavily. Most organisations find almost all 93 controls apply in some form. - **The SoA is the single most-referenced document in an audit.** The auditor will sample controls and trace the evidence chain. Weak evidence references sink audits. - **Evidence is more important than the policy text.** A policy with no enforcement evidence fails; an enforced control with brief policy passes. - **Keep the SoA and the evidence pack in sync.** When a control's implementation changes, update both the SoA entry and the evidence file. - **Annual review minimum.** On any material control change (new system, new risk, new threat), update the SoA entry immediately. - **Good looks like:** Stage 1 auditor can open the SoA, pick three controls, and find traceable, current evidence within 5 minutes each. --- *VantagePoint Networks · · Authored by Hak · Free under the MIT licence*