Security measures

The question is related to this article which speaks about the Statement of Applicability, so the form he mentions is Statement of Applicability: https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Answer:
I suppose that you mean “security measures”, if so, these measures should be determined by the company that have implemented ISO 27001 (not by his customer or by his certification body), and you only need to implement the measures that are necessary to reduce the risks identified during the risk assessment & treatment. So, in the SOA you will need to apply only the security measures that are necessary to reduce the risks identified.

By the way, you will complete the SOA after the risk treatment, but before the risk treatment plan. Do you want more information about the steps of t he risk assessment treatment? This article can be interesting for you “ISO 27001 risk assessment & treatment – 6 basic steps” : https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

This article can be also interesting for you “Risk Treatment Plan and risk treatment process – What’s the difference?” : https://advisera.com/27001academy/iso-27001-risk-assessment-treatment-management/#treatment

Finally, do you know our online course? “ISO 27001:2013 Foundations Course” : https://advisera.com/training/iso-27001-foundations-course/