Internal Audit and Statement of Applicability
1. Does the internal audit need to happen before Stage 1 certification audit? Or can we schedule an internal audit to happen following Stage 1 when we have implemented the feedback?
2. Currently working on the Statement of Applicability and I wanted to ask if all of the controls we say YES to implementing, do they need to be noted down in the Risk Treatment process? Or is it okay to have some additional controls in the Statement of Applicability in comparison to the Treatment?
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Does the internal audit need to happen before Stage 1 certification audit? Or can we schedule an internal audit to happen following Stage 1 when we have implemented the feedback?
Performing an internal audit is a mandatory requirement of ISO 27001 (clause 9.2), so it needs to be performed before the Stage 1 certification audit.
For further information, see:
- ISO 27001 implementation steps https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
2. Currently working on the Statement of Applicability and I wanted to ask if all of the controls we say YES to implementing, do they need to be noted down in the Risk Treatment process? Or is it okay to have some additional controls in the Statement of Applicability in comparison to the Treatment?
I’m assuming you are referring to the Risk Treatment Plan.
Considering that, please note that only controls that need to be implemented or improved should be considered in the Risk Treatment Plan.
In case the control is already implemented and does not need any adjustments, then it will not be referred to the Risk Treatment Plan.
For further information, see:
Hi there,
Thanks for your response. Regarding my second question, it was more about the Statement of Applicability. Having completed the Risk Treatment process and selected which controls we want to implement, is the idea that we then go into the Statement of Applicability to ONLY justify the controls we have said yes to? Do the two documents need to correlate essentially?
For example, if I find a control on the Statement of Applicability and think there's a place to implement that control in our ISMS, do I need to go back into the Risk Treatment and find which risk that would be applicable to and note it down?
Hope that's clear.
Thanks for your response. Regarding my second question, it was more about the Statement of Applicability. Having completed the Risk Treatment process and selected which controls we want to implement, is the idea that we then go into the Statement of Applicability to ONLY justify the controls we have said yes to? Do the two documents need to correlate essentially?
Answer: Your assumption is partially correct. The Risk Treatment Table and the Statement of Applicability (SoA) documents are indeed correlated, but in the SoA, besides the justifications for the controls you deem applicable, you also need to justify the exclusion of controls you do not apply, and if applicable controls are implemented or not.
For example, if I find a control on the Statement of Applicability and think there's a place to implement that control in our ISMS, do I need to go back into the Risk Treatment and find which risk that would be applicable to and note it down?
Answer: No, there is no need to go back to the Risk Treatment Table. In other words, in the Statement of Applicability you can select controls as applicable without having a reference to a particular risk.
Comment as guest or Sign in
Apr 20, 2023