ISO 27001 controls (SOA)

1. Would you mind please explaining to me how can we justify the inclusion/exclusion of controls in the SOA?

First is important to note that all controls from ISO 27001 Annex A must be included in the SoA. The justifications are related to applying them or not.

Considering that, broadly speaking, justifications to apply the control or not are based on:

• results of risk assessment (e.g., there are relevant risks that are handled by applying the control/there are no relevant risks requiring the application of the control)
• legal requirements (e.g., laws, contract, or regulations) (e.g., there are legal requirements requiring the application of the control / there are no legal requirements requiring the application of the control)
• top management decision (control is considered applicable by top management as a good practice/control is not applicable by top management decision)

These articles will provide you a further explanation about risk management and SoA:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
• The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

This material can also help you:

• ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

2. And how can we justify the exclusion of a part of SMSI from the scope?

Please note that ISO 27001 does not require justification for exclusions from the ISMS scope. You only need to ensure that the exclusion does not conflict with the requirements of interested parties, and external and internal issues relevant to the ISMS purpose and its intended outcome.

These articles will provide you a further explanation about the scope definition:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

This material will also help you regarding scope definition:

• How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

Thank you for this detailed explanation, I have a specific question : can we justify an exclusion of a control by the fact that the topic of this control is out of scope ? Example : development policy not applicable because development is not performed in ISMS scope. Can we have that in the SOA ?

It is possible to use such justification for the exclusion of control, but please note that common understanding is that information in the SoA refers to elements that are part of the ISMS scope, and such justification (referring to elements, not in the ISMS scope) would only add unnecessary complexity to your document (e.g., an auditor would have to work again on the ISMS scope document to confirm that the development process is out of the scope).

It is simpler to say that the control is not applicable because there are no relevant risks and/or legal requirements demanding the implementation of the control.