The auditor opened our Statement of Applicability, spent about ninety seconds reviewing it, and said “We need to talk about your control exclusions.” I knew we were in trouble. This was about five years ago, consulting for a healthcare software company going through their first ISO 27001 certification. They’d spent months building their ISMS, documented everything, implemented controls across the board. But their Statement of Applicability was a disaster, and it was about to