Expert Advice Community

Guest

Is the SoA considered public?

  Quote
Guest
Guest user Created:   Jan 13, 2016 Last commented:   Jan 13, 2016

Is the SoA considered public?

0 0

Assign topic to the user

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

ISO 27001 STATEMENT OF APPLICABILITY

List all controls and determine which are applicable and why.

Guest
AntonioS Jan 13, 2016

"Is the SoA considered public? It specifies which controls have been implemented and verified in the certificate. It seems to me that the 27001 certificate is useless if you don't have access to the SoA that was used."

 

Answer:

Generally the SoA is not considered as a public document, because can have internal information about the organization (for example can contain references to internal documents), so my recommendation is that you consider this document as “Internal use” or “Restricted”. There are various types of information, here you can see them “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And from my point of view, for external people, it is not necessary to have access to the SoA (with some exceptions, for example auditors), keep in mind that the certificate is issued by a certification body, which has reviewed the SoA in a certification audit process.
Finally, this article about the importance of the Statement of Applicability can be interesting for you “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 12, 2016

Jan 12, 2016

Suggested Topics