Given our reliance on third party IT, should we include controls they use on our behalf (such as malware detection or logging) in our list of controls for purposes of the Statement of Applicability? They are certainly in place but we do not implement or control them, so we are not sure if they should be in our SoA.
Answer: You should include the controls in the SoA. Even if they are implemented by your IT service provider, including them in the SoA is a good idea because this way your organization will have a clear overview about who will implement which control, making easier the job to keep track of all controls, who is responsible and what is their status.
The proper way to do that is to state the control as applicable and indicate which third party will implement the control and what will be the legal basis for it (e.g., implemented by third-party according service agreement).
You should also note that by doing this way you have to ensure to state the control A.15.1.2 (Addressing security within supplier agreements) as applicable and retain as evidence the service agreement with the security clauses your provider must comply with. These security clauses basically refer to the controls your organization states as applicable in your SoA and that you want the provider to apply.