Filling SoA

Answer:

To perform the identification of applicable controls for the Statement of Applicability you need to consider:
- The results of risk assessment (risks identified as unacceptable will require the implementation of controls)
- Contracts, laws, regulations and other legal requirements that demands the implementation of controls (e.g., performance levels on Service Level Agreements, data protection on GDPR, etc.)
- Top management decisions about controls to be implemented not related to the previous reasons (e.g., because the top management considers them good market practices.

These articles will provide you further explanation about SoA and risk management process:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
- ISO 27001 vs. ISO 27002 https://advisera.com/27001academy/knowledgebase/iso-27001-vs-iso-27002/
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

These materials will also help you regarding risk management process:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- Fundamentos básicos de la evaluación y tratamiento de riesgos según ISO 27001 [webinar gratis] https://advisera.com/27001academy/es/webinar/the-basics-of-risk-assessment-and-treatment-according-to-iso-27001-free-webinar/