The preparation of a document analogous to a Statement of Applicability (SOA) is a fundamental activity within the Plan phase of the PDCA cycle. Although the term "SOA" is formally a requirement of ISO/IEC 27001, the underlying concept in ISO 22301 involves determining and justifying the selection of business continuity strategies and solutions. This process of identification, selection, and planning is explicitly covered under Clause 6 "Planning" and Clause 8.3 "Business continuity strategies and solutions" of the ISO 22301 standard. The 'Plan' phase is where the organization establishes its objectives and the processes necessary to deliver results in accordance with its business continuity policy, making it the correct stage for this activity.

B. Do: This phase is for implementing the business continuity strategies and plans that were selected and defined during the 'Plan' phase.

C. Check: This phase involves monitoring, measuring, and reviewing the performance and effectiveness of the implemented BCMS against objectives, not the initial preparation.

D. Act: This phase focuses on taking corrective actions and making improvements to the BCMS based on the results of the 'Check' phase.

1. ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements.

Clause 0.4, "Plan-Do-Check-Act (PDCA) cycle": This section explicitly maps the clauses of the standard to the PDCA cycle. It states, "This International Standard applies the Plan-Do-Check-Act (PDCA) cycle... Plan (clauses 4, 5, 6, 7): establish business continuity policy, objectives, controls, processes and procedures relevant to improving business continuity..." This directly places the planning activities, which include determining applicable strategies, within the 'Plan' phase.

2. Hermawan, A., & Rahaningsih, N. (2020). Design of Business Continuity Management System (BCMS) based on ISO 22301: 2012. IOP Conference Series: Materials Science and Engineering, 830(3), 032043.

Section 3, "Research Methodology": In the description of the PDCA cycle application (Figure 1), the authors map the "Planning" stage to activities such as defining the scope, policy, objectives, and identifying requirements. The selection of appropriate strategies is an inherent part of this planning process before implementation ('Do') can begin. DOI: https://doi.org/10.1088/1757-899X/830/3/032043

3. Rittinghouse, J. W., & Ransome, J. F. (2017). Business Continuity and Disaster Recovery for InfoSec Managers. Syngress, Elsevier.

Chapter 4, "Business Continuity Management," Section "ISO 22301 and the PDCA Cycle": This academic text explains that the 'Plan' phase involves all the preparatory work, including "determining the business continuity strategy." This confirms that strategic decisions about applicability are made during planning.