I would just like to inquire on the frequency of updating the statement of applicability? Is there a need to update it after ISMS implementation? Say for example during the initial phase, one of the controls is not yet implemented but after a year, it was already documented and already in practice. Do we have to update the SOA because of that change?
ISO 27001:2013 in its clause 6.1.3 d) says "produce a Statement of Applicability that contains the necessary controls... whether they are implemented or not". Therefore, you need to update SoA once the status of your controls changes.
I think that updating the SoA once a year would be too infrequent, however if you do it once a month or quarterly that would be fine.
The Statement of Applicability or SoA, just like any other documented information within the ISMS, needs to be reviewed for suitability and adequacy (Cl. 7.5.2, ISO/IEC 27001:2013).
When controls are added, excluded or modified, corresponding change must be effected to the SoA through proper change control mechanisms (Cl. 7.5.3.e, ISO/IEC 27001:2013).
Otherwise, the SoA would be not suitable or adequate to the organization anymore since it will contain outdated information.
Normally, I would have a policy that has a fixed and instant review points for documented information.
Fixed review could be an annual review by the document owner or process owner.
Instant review would be when there are changes to the ISMS that affects documented information e.g. changes in technology used; changes in personnel that are nominated in disaster recovery plans or business continuity plans; changes in legal requirements, etc.