SoA changes

If an external auditor reveals any changes to the SoA during e.g. a surveillance audit, the certification will not be valid and a new certification process needs to be stated since the scope has changed. My understanding that an SOA is a working document that should be updated as needed as the business changes. Can you let me know which is correct and point to reference material that describes this?

Answer:

Your understanding about SoA is correct. This is a living document that must be updated as needed. Sometimes this need to update is to reflect changes in risks not necessarily related to changes in the scope. In this case you have to record the decision made to update the SoA, and related information (e.g., update the risk assessment regarding the new risks). During a surveillance audit, the auditor will verify if the change in the SoA was done according the standard requirements and implemented documentation.

When changes in the SoA are in fact related to changes in the scope, besides the previous mentioned steps, you have to communicate this situation to your certification body so you can define how to approach this situation, because the certification scope will have to be updated. In some cases this will require an immediate surveillance audit, but in most cases this can be verified on the next external audit. For the additional scope you have to ensure the same steps taken that were performed to implement the ISMS.

This article will provide you further explanation about SoA:
- The importance of Statement of Applicability for ISO 27001 https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/