Statement of Applicability Engine
How Govula generates and maintains defensible Statements of Applicability.
This section is intended for: Technical Team, Auditor, Management. Unauthorised access is restricted.
What is a Statement of Applicability?
A Statement of Applicability (SoA) is a formal document required by standards such as ISO 27001. It lists all controls from the selected framework, indicates whether each control applies to your organization, and provides justification for the decision.
For applicable controls, the SoA documents the implementation status. For non-applicable controls, it explains why the control does not apply given the organization's context, risk profile, or operational scope.
The SoA is a critical audit artifact. Auditors use it to understand your scope, verify your risk treatment decisions, and assess whether your implementation matches your claims.
Why Standards Require It
ISO 27001, Clause 6.1.3(d), explicitly requires organizations to produce a Statement of Applicability that contains:
- The necessary controls (see 6.1.3 b and c)
- Justification for their inclusion
- Whether they are implemented or not
- Justification for excluding any controls from Annex A
Other frameworks such as SOC 2 and NIST have similar concepts, though they may use different terminology. The underlying requirement is the same: document what applies, what doesn't, and why.
How Govula Generates the SoA
The SoA generation process combines organizational context, framework requirements, and evidence to produce a structured, defensible document.
Step 1: Context Analysis
The engine reviews your organization's profile: industry, size, regulatory environment, operational scope, and any previously defined exclusions. This context determines baseline applicability assumptions.
Step 2: Control Enumeration
Every control from the selected framework(s) is enumerated. Controls are processed in their standard order, maintaining traceability to the source framework.
Step 3: Applicability Assessment
For each control, the engine assesses applicability based on organizational context. Controls related to activities you don't perform, technologies you don't use, or risks that don't apply to your scope may be marked as not applicable.
Step 4: Justification Generation
For each applicability decision, a structured justification is generated. This explains the reasoning in plain language that auditors and stakeholders can understand and verify.
Step 5: Evidence Association
For applicable controls, relevant evidence is linked. The SoA indicates what evidence supports the implementation claim and whether that evidence is current.
Step 6: Human Review Queue
All generated decisions are queued for human review. The platform highlights decisions that require attention, have low confidence, or represent changes from previous assessments.
Applicability Decision Logic
Applicability decisions follow a structured logic that considers multiple factors:
| Factor | Example | Impact |
|---|---|---|
| Industry | Healthcare vs. Retail | Different controls apply based on sector-specific risks |
| Scope | Cloud-only vs. hybrid | Physical security controls may not apply |
| Size | SME vs. Enterprise | Some controls assume organizational complexity |
| Technology | Uses mobile devices? | Mobile security controls applicability |
| Prior Decisions | Previously excluded | Maintains consistency unless context changed |
The decision logic is deterministic given the same inputs. This means you can trace why a decision was made and predict how a decision would change if context changes.
AI-Generated Justifications
When justifications are generated, AI is used to produce clear, contextually appropriate language. The AI component:
- Receives the control definition, organizational context, and applicability decision
- Generates a justification that explains the decision in plain language
- References specific organizational attributes that informed the decision
- Maintains consistency with previous justifications for similar controls
Example Generated Justification
"Control A.8.7 (Protection against malware) is applicable. The organization operates endpoint devices across multiple locations and processes sensitive healthcare data. Anti-malware controls are implemented via Endpoint Detection and Response (EDR) software deployed to all managed devices, with automated updates and centralized monitoring."
Justifications are not static. If organizational context changes, justifications can be regenerated to reflect the new reality.
Human Oversight and Override
Govula does not replace human judgment. Every applicability decision and generated justification is subject to human review. The platform provides recommendations and structured reasoning; humans make final decisions.
Human oversight is maintained through:
- Review QueueAll new or changed decisions require explicit approval
- Override CapabilityAny decision can be manually overridden with justification
- Confidence ScoringLow-confidence decisions are flagged for review
- Audit TrailAll overrides and approvals are logged with attribution
When a human overrides a decision, the platform records the override reason and associates it with the user who made the change. This creates an audit trail that demonstrates human governance of the compliance process.
Structured, Defensible Reasoning
The platform produces reasoning that is:
Traceable
Every decision links to the inputs that informed it. You can trace from a justification back to the organizational context and control definition.
Consistent
Similar controls in similar contexts receive similar treatment. The logic doesn't produce contradictory decisions.
Explainable
Justifications are written in plain language that auditors and stakeholders can understand without technical expertise.
Auditable
All decisions, overrides, and changes are logged. Auditors can verify the decision-making process.
Important Clarifications
Govula does not make compliance decisions for you. It provides structured analysis and recommendations. Your compliance team reviews, approves, or overrides these recommendations.
Govula does not guarantee compliance. It helps you maintain a defensible compliance posture through structured processes and documentation. Actual compliance depends on your implementation of controls.
AI-generated content is a starting point. Every justification should be reviewed by qualified personnel. The AI assists with drafting; humans own the final content.