Filling a SoA template

thank you for your helpful answer and advise. Beside would you mind answering another question? This would be so kind of you. Now I'm filling the document "Statement of Applicability". I kind of stuck a bit in column "Reason for choosing / Reason for exclusion". I mean I read Dejan's note that this gap is all about the results of the risk assessment and the contractual and legal obligations. But some controls our risk assessment didn't even touch. I know that we have to have a guideline above all. But whats the reason for choosing? (Cause we want to have the certificate. ;)) I wrote for now: "protection of information against internal and external threats, intentional and accidental." Or is it better if you realize the control to write ALWAYS (the same): "based on the results of the risk assessment, the contractual and legal obligations".

Answer: If your risk assessment does not identify risks that justify the applicability of a control, then you should look for clauses on laws, contracts or standards you have to follow tha t may demand the application of such controls. I this case you may state "control applicable to comply with law/contract XXXX, clause YYYY".

If you still do not find legal requirements to justify controls applicability, you can state "Control applicable because of a Top Management decision to follow industry/market best practices", or "Control applicable because of a Top Management decision to support a business objective".

You should note that you will hardly use the last examples (based on top management decision), because generally there will be risks or legal clauses to support a controls applicability.

This article will provide you further explanation about SOA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/