SoA and outsourced IT

Answer: You should include the controls in the SoA. Even if they are implemented by your IT service provider, including them in the SoA is a good idea because this way your organization will have a clear overview about who will implement which control, making easier the job to keep track of all controls, who is responsible and what is their status.

The proper way to do that is to state the control as applicable and indicate which third party will implement the control and what will be the legal basis for it (e.g., implemented by third-party according service agreement).

You should also note that by doing this way you have to ensure to state the control A.15.1.2 (Addressing security within supplier agreements) as applicable and retain as evidence the service agreement with the security clauses your provider must comply with. These security clauses basically refer to the controls your organization states as applicable in your SoA and that you want the provider to apply.

These articles will provide you further explanation about controls in outsourced IT:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- Which security clauses to use for supplier agreements? https://advisera.com/27001academy/blog/2017/06/19/which-security-clauses-to-use-for-supplier-agreements/

These materials will also help you regarding controls in outsourced IT:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/