Frequency of updating the Statement of Applicability
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Answer:
ISO 27001:2013 in its clause 6.1.3 d) says "produce a Statement of Applicability that contains the necessary controls... whether they are implemented or not". Therefore, you need to update SoA once the status of your controls changes.
I think that updating the SoA once a year would be too infrequent, however if you do it once a month or quarterly that would be fine.
The Statement of Applicability or SoA, just like any other documented information within the ISMS, needs to be reviewed for suitability and adequacy (Cl. 7.5.2, ISO/IEC 27001:2013).
When controls are added, excluded or modified, corresponding change must be effected to the SoA through proper change control mechanisms (Cl. 7.5.3.e, ISO/IEC 27001:2013).
Otherwise, the SoA would be not suitable or adequate to the organization anymore since it will contain outdated information.
Normally, I would have a policy that has a fixed and instant review points for documented information.
Fixed review could be an annual review by the document owner or process owner.
Instant review would be when there are changes to the ISMS that affects documented information e.g. changes in technology used; changes in personnel that are nominated in disaster recovery plans or business continuity plans; changes in legal requirements, etc.
Comment as guest or Sign in
Jan 12, 2016