- Organizations should identity all control objectives and actual controls selected for implementation when completing the SOA.
- The SOA doesn’t need to contain confidential asset and process information.
- Controls in addition to those stated in the standard may also be stated as part of the SOA.
- Any ISO 27001 controls that are not selected for compliance must be explained.