Guest
If after certifying the company there are changes in the SOA, what should proceed with the external audit?
Is there a rule of thumb (or best practice) as to how many controls from Annex A need to be sustained in the SOA (for smaller companies, i.e. 50-100 employees)?