Important Points When Using Statements of Applicability (SOAs): ISO 27001

  • Organizations should identity all control objectives and actual controls selected for implementation when completing the SOA.
  • The SOA doesn’t need to contain confidential asset and process information.
  • Controls in addition to those stated in the standard may also be stated as part of the SOA.
  • Any ISO 27001 controls that are not selected for compliance must be explained.