# About the Statement of Applicability

In essence, the Statement of Applicability shows the outcome of the risk treatment process ([6.1.3a](../../Corpus/Standards/MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md)). It is usually presented as a table of Annex A controls, together with a short explanation for the selection *or* exclusion of each, and its implementation status.

This follows directly from [Clause 6.1.3d](../../Corpus/Standards/MoCs/ISO_27001_2022_6.1.3_MoC%20Information%20security%20risk%20treatment.md), that demands that the Statement of Applicability contains:
* the controls that are **necessary** to implement the chosen risk treatments, including the rationale for their selection
* the **status** of their implementation *("whether the necessary controls are implemented or not")*
* the reason for exclusion of any and all other controls from Annex A.

Though ISO 27002 offers guidelines for the implementation of the controls from Annex, the organization is free in their design.  The organization is also free to identify them "from any source", so you could also include controls from for instance XXX or YYY.

One is generally advised to "Comply or Explain", which means you implement *all* controls from Annex A in some form, or you explain why you don't need to, based on your risk analysis and chosen risk treatment.