Statement of Applicability

The Statement of Applicability (SOA) lists all ISM controls with their applicability and implementation status. IRAP assessors require it. QuantAssure supports a round-trip workflow: export to CSV, send to assessor, import their updates.

SOA Table View

Navigate to Compliance → your IRAP target → Statement of Applicability.

The SOA table provides a dense view of all controls with:

  • Control ID and name
  • Applicability (Applicable / Not Applicable)
  • Compliance status
  • Implementation notes

Inline Editing

Click any field to edit directly in the table:

  • Applicability: select from dropdown
  • Status: select from dropdown
  • Implementation notes: click to open text editor, save with Cmd+Enter

Filtering

  • Filter by topic, status, or applicability
  • Search by control ID or keywords
  • Stats bar shows totals: Applicable, Not Applicable, Compliant, Gaps, Not Assessed

Exporting for Assessor Review

Export Process

  1. Click "Export CSV" on the SOA page
  2. CSV includes all controls with current status and notes
  3. Send the CSV to your IRAP assessor

What the CSV Contains

  • Control ID, control name, topic
  • Applicability and reasoning
  • Current compliance status
  • Implementation notes
  • Columns for assessor to fill: determination, notes, evidence

Importing Assessor Updates

The Round-Trip Workflow

  1. You export the SOA as CSV
  2. Assessor reviews and fills in their columns
  3. You import the updated CSV back into QuantAssure
  4. System updates statuses and creates evidence records

Import Process

  1. Click "Import CSV" on the SOA page
  2. Select the assessor's updated CSV file
  3. Review the import summary
  4. Confirm the import

What Gets Updated

  • Control statuses updated to assessor's determination
  • Implementation notes merged with assessor notes
  • Evidence records created (type: assessor_review)
  • All changes logged in audit trail

Import will overwrite existing status and notes for controls included in the CSV.

After Import

  • Review your readiness dashboard for updated scores
  • Address any gaps identified by the assessor
  • Add evidence for controls the assessor flagged

Learn more about readiness tracking →