ISO 27001's Annex A has 93 controls (2022 edition). Cyvex directly contributes evidence to roughly 20 of them — don't expect it to cover the whole Statement of Applicability. Here's which ones it genuinely supports and which ones you'll need other sources for.

Controls Cyvex supports directly

A.5.7 Threat intelligence: via the threat intel feed.
A.8.8 Management of technical vulnerabilities: scan cadence, triage records, and remediation SLAs.
A.8.9 Configuration management: cloud posture findings.
A.8.16 Monitoring activities: scan logs, alert logs.
A.8.28 Secure coding: via code-scanning integrations.

Controls you'll need other evidence for

Policy controls (A.5.1 – A.5.4), HR-security controls (A.6.*), physical security (A.7.*), and most operational-process controls. These need your own documentation, HR records, facilities records, etc. Cyvex doesn't substitute for any of them.

Keep the mapping document alive

Write a one-page mapping between your controls and where the evidence lives. This saves hours at audit time and forces you to notice drift. If a control has “TBD” as its evidence source, fix that before your auditor does.