...
ISO/IEC 27001 requires that you produce a statement of applicability (SoA). It must contain the necessary controls (those you have chosen and Annex A), detail the controls you have selected and why, and the justification for controls you have excluded from Annex A. Many organisations decide to provide internal and external facing SoAs with different levels of confidential information. Your SoA must be subject to version control.
SOA - Template
| View file | ||||
|---|---|---|---|---|
|
Outputs
- Risk treatment plan
- Statement of applicability
- An understanding of residual risk after control selection