sbd.govassure.uk

Statement of Applicability (SoA) Generator

Identify the Secure by Design controls and associated risks that apply to your project, based on the data you handle, the people you serve and the technologies you use.

Project details

Capture the metadata that will appear on the front page of your Statement of Applicability.

Project / service name

Project reference (e.g. portfolio or programme identifier)

Senior Responsible Owner (SRO)

Security lead / accreditor

Delivery phase

Information classification Per the Government Security Classifications Policy 2023.

Service description

Document date

How to use this tool

1. Enter project details.
2. Select the data types your service handles.
3. Identify your stakeholders.
4. Identify the technologies in scope.
5. Review the recommended controls, set priority and capture risks.
6. Export to Word, PDF or CSV.

All data is held in your browser. Nothing is sent to a server.

Data types in scope

Tick every data classification your service will create, process, store or share. Each selection drives the list of applicable controls and the data protection and privacy legislation that applies.

Stakeholders

Tick every group that will interact with the service or whose data is processed by it.

Technologies and architecture

Tick every technology component or pattern that is part of the design.

Applicable controls and risk register

Each control below has been identified as applicable to your selected data, stakeholders and technologies. Open a control to see its mapping to Secure by Design, NCSC CAF v4.0 and the Secure Controls Framework, and capture inherent and residual risk.

View The "Applicable" view filters the full SCF library by your data, stakeholder and technology selections. Switch to "All" to browse the complete framework, or to "Baseline" for the curated minimum.

Show

Baseline controls Other included controls Excluded controls

0 controls match

SCF domain

Priority

Status

By default the recommended baseline is included and all other SCF controls are excluded. Use these actions to bulk-include or reset.

Review and export

Statement of Applicability ready

Generate your document below.

Document content Controls how much detail appears in the on-screen preview, Word export and printed PDF. The CSV register always contains every control regardless of this setting.

Export options

Generate a printable Statement of Applicability or a data file that can be imported into a project risk register.

Load progress (JSON)