"Is the SoA considered public? It specifies which controls have been implemented and verified in the certificate. It seems to me that the 27001 certificate is useless if you don't have access to the SoA that was used."
Answer:
Generally the SoA is not considered as a public document, because can have internal information about the organization (for example can contain references to internal documents), so my recommendation is that you consider this document as Internal use or Restricted. There are various types of information, here you can see them Information classification according to ISO 27001 : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And from my point of view, for external people, it is not necessary to have access to the SoA (with some exceptions, for example auditors), keep in mind that the certificate is issued by a certification body, which has reviewed the SoA in a certification audit process.
Finally, this article about the importance of the Statement of Applicability can be interesting for you The importance of Statement of Applicability for ISO 27001 : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/
Comment as guest or Sign in
Jan 12, 2016