Title: Statement of Applicability Template
Document ID: [GOV-SOA-001]
Version: 0.1 Draft
Status: Draft
Owner: CISO (Paul Jenkins)
Approver: CEO (Paul Hague)
Classification: Internal
Effective date: [DD Month YYYY]
Review date: [DD Month YYYY]

# Statement of Applicability Template

## Purpose

This template provides the structure for recording which information security controls are applicable to BlackDice's ISMS, why they are included or excluded, and how they are implemented.

## Scope

This template applies to the controls selected for the ISMS and should cover the approved control framework used by BlackDice for ISO/IEC 27001:2022 alignment.

## Data Fields / Expected Columns

The Statement of Applicability should record at least the following fields:

- control reference
- control title
- applicability status
- justification for inclusion or exclusion
- implementation summary
- related document or evidence reference
- control owner
- review date

## Ownership

This document should be owned by [Role]. Control owners must provide implementation detail for controls within their responsibility. Changes should be reviewed as part of risk treatment, audit, and management review activity.

## Update Frequency

The Statement of Applicability should be updated when:

- the control framework changes
- risks materially change
- new systems, services, or suppliers alter the control environment
- control implementation status changes
- audit or review identifies a required update

At minimum, it should be reviewed annually.

## Retention

Superseded versions should be retained in line with BlackDice's document and records retention requirements.

## Template Table

| Control Reference | Control Title | Applicable (Yes/No) | Justification | Implementation Summary | Related Document / Evidence | Control Owner | Review Date |
| --- | --- | --- | --- | --- | --- | --- | --- |
| [A.5.x] | [Control title] | [Yes/No] | [Reason] | [How implemented or planned] | [Document ID / record] | [Role] | [DD Month YYYY] |

## Completion Notes

- Exclusions must be explicitly justified.
- Implementation summaries should be factual and concise.
- References should point to policies, standards, procedures, or records rather than unsupported statements.
- Draft entries may identify planned implementation where controls are not yet fully established.

## Related Documents

- ISMS Scope Statement
- ISMS Manual
- Information Security Policy
- Risk Assessment and Treatment Methodology