# ISO 42001 Statement of Applicability > Build and validate the SoA for ISO/IEC 42001:2023 Annex A with justification and implementation evidence. Tags: ISO 42001, SoA, Annex A, Compliance, AI ## Example Prompts - Draft our Statement of Applicability for ISO 42001 - Update our SoA with justification for excluded controls - Validate our SoA before the certification audit URL: https://rakenne.app/skills/iso42001-statement-of-applicability/index.md Try this skill: https://rakenne.app/a/?skill=iso42001-statement-of-applicability ## Overview Build and validate the SoA for ISO/IEC 42001:2023 Annex A with justification and implementation evidence. ## Getting Started Add your source materials to the project workspace, then activate the *ISO 42001 Statement of Applicability* skill. The agent will guide you through the process step by step. ## Example conversation **You:** We need a Statement of Applicability for Annex A. We’ve done our risk assessment—can you draft the SoA with applicable/not applicable and justification for each control theme, and then validate it? **Agent:** I’ll use the Annex A control list (A.1–A.11) from the skill reference. For each theme I’ll set applicable or not applicable with a specific justification and, for applicable controls, a reference to our policy or procedure. I’ll avoid generic “N/A” for exclusions. Then I’ll run **soa_justification_audit** on the SoA and fix any missing justifications or evidence links until the audit passes. ## Output excerpt ### SoA excerpt (Annex A control themes) | Control | Status | Justification | Implementation evidence | |---------|--------|---------------|--------------------------| | A.1 AI governance and leadership | Applicable | Governance and policy review defined; top management approval of AI policy. | AI policy; AIMS scope; roles document. | | A.2 AI risk management | Applicable | Risk methodology and register in place; ethical evaluation in methodology. | Risk assessment methodology; risk register. | | A.5 Data governance and data quality | Applicable | Data governance procedure covers acquisition, quality, provenance, security. | Data governance procedure. | | A.10 AI incident management | Applicable | Incident response procedure and log; escalation and corrective action. | Incident response procedure. | | A.9 Technical robustness and AI safety | Not applicable | No high-criticality or safety-related AI in scope; recommendation system only. Organization does not operate safety-critical AI. | — | ## Extension and validation The skill includes **soa_justification_audit**, which validates the SoA for Annex A (A.1–A.11). It checks: every control theme is addressed; excluded controls have a non-generic justification; applicable controls have both justification and a reference to implementation evidence (policy, procedure, or document). Optionally, with a workspace root, it verifies that referenced evidence files exist. Run it after drafting and fix any errors before the certification audit. --- Back to [Skill Library](https://rakenne.app/skills/index.md)