SoA - Confidential?

Our 27001 auditor says we have to share our Statement of Applicability, if requested. But our clients say this is confidential. Do you know which is right?
 

Answer:

ISO 27001 does not require the SoA to be a public document, so it is up to each company to consider whether it is confidential or not.
Then, generally the SoA is not considered as a public document, because can have internal information about the business, and it is recommendable to consider this document as “Internal use” or “Restricted” (from my point of view this document is not “confidential"), this mean that an external people cannot access to this document, although an exception can be an auditor.

This article about the classification of the information can be interesting for you “Information classification according to ISO 27001” : https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/
And also this article abo ut the importance of the SoA “The importance of Statement of Applicability for ISO 27001” : https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

Hi.  Our auditor says the following, which makes sense to me:

"Statement of applicability is an externally facing document – it is referenced on their certificate scope and as such needs to be available to support the certificate. It isn’t explicitly stated in the standard but is accepted and understood because of the link to the certificate."

Without knowing what the SoA says, it isn't possible to confirm from the certificate what actually covers.

What are your thoughts on this?

Thanks

The main purpose of ISO 27001 is the protection of information, and the SoA can have important information about the business (information about business process, references to documents, intranet links, etc). You can share this information with some people (for example auditors), but not with all the world. So, you need to protect it from unauthorized access, which means that this document should be considered as internal or restricted or confidential (from my point of view, never public).

Furthermore, if you have the certificate of ISO 27001:2013 issued by a certification body, means that your business is compliant with the standard, so you do not need to share the content of the SoA with external companies, because the SoA has been reviewed by a certification auditor (the auditor is the unique external person that is required to review the document).

Finally, take care sharing information about your business, because can produce threats, for example informati on leakage. If you want to see a list of threats and vulnerabilities, you can see this article "Catalogue of threats & vulnerabilities" : https://advisera.com/27001academy/knowledgebase/threats-vulnerabilities/

For this reason, we do not include sensitive information in our SoA.  It is all well and good the certificate showing a company is compliant, but without visibility of the SoA we don't know the scope of that compliance, and the associated state of their security. A business could have marked all the key elements as not applicable, and been compliant.