Question -ISO27001 Statement of Applicability

Hi all,

What’s the best way to generate an SoA from Eramba for ISO27001? I’m trying to filter in the Compliance Analysis module however I can’t find ‘compliance status’ as a filter option.


Assuming that by SOA you refer to a table were the following relationships are listed:

  • iso requirement
  • controls used to meet the requirement
  • policies used to meet the requirement
  • associated risks
  • associated exceptions (for example, you might have used them to address exclusions)

then the default filter for compliance analysis would do it:

you can export that as a CSV if you wish , you will then need other exports (on teh controls, risks, policies) to get the details of each one of these items too

the standard system report for compliance includes this filter at the bottom of the report too:

ps. sorry the screenshot above is for pci, but the same applies for ISO

is very important to understand con eramba works on terms of compliance !

For the pas 3 audits within our customers company the Auditor mentioned eramba not able to provide SOA WITHOUT manually altering documents. Upon the next audit (which is fulll ISO27001 certification path) he advised to get in contact with eramba to have this solved.

Currently we build the SOA by opening the system report - items. This will give a good overview of all compliant items with their mitigations. The items not compliant are not applicable within the organization, so they added them to the Compliance Exceptions page in eramba, using “Description” field to explain why it is non-applicable.

REQUEST: Can the System Item report be altered so it contains current information extended with table overview of all compliance exceptions using item ID, Name and Description fields?

The current behaviour is somewhat strange though:

  • when we download the system report - item of a compliance exception we get a PDF with only the selected exception
  • when we download the system report - item of a compliance item (page compliance analysis) we get a PDF wilth ALL compliancy items of the compliance package,

So i would assume, as we select only one compliancy item, it would generate a PDF with only the selected ittem

We could use the current report including all compliant items and all compliant exceptions as a new submenu option




im not sure i understand, you miss a compliance exception description column on your filter ?

something like that?


Boy i’m happy with your post:-) I didn’t know i could add these columns but found it. Also i was able to make a new item report with all columns except one: Exception Description. So it would be very welcome to have this description field selectable inside the report designer!

With that change we can generate a ISO27001 SOA right from eramba

EDIT: nevermind, i can use the Title field of the exception just like internal control and security policy. So all good to go!

any filter (saved) can be shown on a report , because when you add a “Filter” widget on a report you basically. select which filter you want included.

  • create a filter with the conditions and columns you want
  • save it
  • add an item report
  • select the filter widget, select the filter
  • add anything else you want
  • done

that is a custom filter showing only a few columns (otherwise the with would exceed the A4 limit of the report) … i think that is what you mean but maybe im wrong

Tnx for the explaination. I talked to my reviewer and the report is ok, except it needs the date of creation and a version number displayed. Are there any general macro’s available for the current date and maybe a version string = custom date format?

I’d concur.
Having the possibility to add a date or timestamp to any report would help to use them with (asset/risk owners) or in the certification

1 Like

Would be a great addition to have this.

you mean pdf stuff you download, right ?

1 Like

Yes PDF report downloads was what I was inferring.

ok - we’ll include on the top right corner of every page:

Report generated by $user on $date (14th March 2022) using eramba

Int. ref.:


this is how is going to look

Looks good to me :ok_hand:
Is that going to be global across all reports?