Statement of Applicability
Summary of ISO 27001:2022 Annex A control applicability for CUI Labs ISMS. Full detailed SoA available under NDA for qualified enterprise buyers.
Document Owner
CISO
Approved By
CEO / Board
Effective Date
Q2 2026+
Review Cycle
Annual
1. Introduction
This Statement of Applicability (SoA) documents which ISO 27001:2022 Annex A controls are applicable to CUI Labs ISMS, their implementation status, and justifications for applicability decisions.
Purpose
- •Document control selection based on risk assessment
- •Justify applicability or exclusion of each Annex A control
- •Track implementation status and evidence
- •Support audit and certification processes
Note: This is a summary SoA for public disclosure. The full detailed SoA with control-by-control evidence mapping is available under NDA for qualified enterprise buyers and auditors.
2. Control Applicability Summary
93
Total Controls
ISO 27001:2022 Annex A
91
Applicable
98% coverage
2
Not Applicable
2% excluded
91
Implemented
100% of applicable
3. Organizational Controls (A.5)
37 Controls
37 ApplicableCovers policies, information security roles, asset management, access control, human resources security, supplier relationships, and incident management.
A.5.1
Policies for information security
A.5.2
Information security roles and responsibilities
A.5.7
Threat intelligence
A.5.10
Acceptable use of information and other associated assets
A.5.15
Access control
A.5.19
Information security in supplier relationships
A.5.24
Information security incident management planning and preparation
A.5.29
Information security during disruption
+ 29 additional controls (view full SoA under NDA)
4. People Controls (A.6)
8 Controls
8 ApplicableCovers screening, terms and conditions of employment, information security awareness, disciplinary process, and responsibilities after employment termination.
A.6.1
Screening
A.6.2
Terms and conditions of employment
A.6.3
Information security awareness, education and training
A.6.4
Disciplinary process
A.6.5
Responsibilities after termination or change of employment
A.6.6
Confidentiality or non-disclosure agreements
A.6.7
Remote working
A.6.8
Information security event reporting
5. Physical Controls (A.7)
14 Controls
12 ApplicableCovers physical security perimeters, physical entry, securing offices, protecting against external and environmental threats, working in secure areas, clear desk and screen, equipment siting, supporting utilities, cabling security, equipment maintenance, secure disposal, equipment security off-premises, and storage media.
A.7.1
Physical security perimeters
A.7.2
Physical entry
A.7.3
Securing offices, rooms and facilities
A.7.4
Physical security monitoring
A.7.7
Clear desk and clear screen
A.7.11
Supporting utilities
A.7.13
Secure disposal or re-use of equipment
A.7.14
Equipment security off-premises
+ 6 additional controls (view full SoA under NDA)
Exclusions: A.7.4 (Physical security monitoring) and A.7.11 (Supporting utilities) are not applicable as CUI Labs operates in managed office space with landlord-provided utilities and security monitoring.
6. Technological Controls (A.8)
34 Controls
34 ApplicableCovers user endpoint devices, privileged access rights, information access restriction, access to source code, secure authentication, capacity management, protection against malware, technical vulnerability management, configuration management, information deletion, data masking, data leakage prevention, information backup, redundancy, logging, monitoring, clock synchronization, privileged utility programs, software installation, secure system engineering, secure development lifecycle, application security requirements, secure system architecture, change management, test information, protection of information systems during audit testing, web filtering, use of cryptography, secure development, system acquisition, supplier service delivery management, monitoring and review of supplier services, and managing changes to supplier services.
A.8.1
User endpoint devices
A.8.2
Privileged access rights
A.8.3
Information access restriction
A.8.5
Secure authentication
A.8.7
Protection against malware
A.8.8
Management of technical vulnerabilities
A.8.15
Logging
A.8.16
Monitoring activities
A.8.24
Use of cryptography
A.8.25
Secure development life cycle
A.8.28
Secure coding
A.8.32
Change management
+ 22 additional controls (view full SoA under NDA)
7. Implementation Status
91
Fully Implemented
100% of applicable controls
0
Partially Implemented
0% in progress
2
Not Applicable
2% excluded with justification
8. Control Evidence & Verification
For each applicable control, CUI Labs maintains documented evidence of implementation, including:
Evidence Types
- • Policies and procedures
- • Configuration screenshots
- • Audit logs and reports
- • Training completion records
- • Vulnerability scan results
- • Penetration test reports
- • Backup verification logs
- • Incident response records
Verification Methods
- • Internal audits (annual)
- • Management reviews (quarterly)
- • External audits (ISO 27001 certification)
- • Continuous monitoring (SIEM, SOAR)
- • Automated compliance checks
- • Third-party assessments
9. Review & Updates
This Statement of Applicability is reviewed and updated:
- •Annually (minimum)
- •Following risk assessment changes
- •After significant organizational changes
- •When new controls are implemented
- •Following audit findings or recommendations
All changes to the SoA require CISO approval and are communicated to relevant stakeholders.
10. Requesting Full SoA
Access to Detailed SoA
The full detailed Statement of Applicability with control-by-control evidence mapping is available under NDA for:
- •Qualified enterprise buyers conducting due diligence
- •ISO 27001 certification auditors
- •Regulatory authorities (as required by law)
- •Strategic partners with contractual obligations
To request access, contact compliance@cuilabs.io with your organization details and intended use.
11. Related Documents
Document ID
SOA-001
Version
1.0
Classification
Public Summary