SOA controls

1. What happens in the case where we realize that some SOA controls that were marked as N/A during last years audit could actually be applicable...

If you think that one or more controls, previously stated as non-applicable, now may be applicable you have to:

• review the risk assessment and treatment and the list of legal requirements, and update those that will provide the basis by which you will justify the now applicable controls
• update the SoA to reflect the new status (i.e., state the related controls as applicable and provide justification for their applicability), and have it approved by top management
• update the risk treatment plan considering these new applicable controls
• implement the controls, and gather evidence that the new applicable controls are working and achieving defined objectives.

Basically, you have to perform the risk assessment and treatment again.

For further information, see:

• ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

2. What impact will it have on our surveillance audit?

When the SoA is changed, you need to inform the certification body about the changes made, so it can verify if the surveillance audit needs adjustment, either in duration or in the number of required auditors, due to the change in the number of applicable controls. You need to communicate this as soon as possible.

3. Would we need to recertify before going for the surveillance audit?

There is no need for re-certification in case of changes in the SoA. During the surveillance audit, the certification auditor will verify if the change had or had not negatively impacted your ISMS, and provide his conclusions in the audit report, and related non-conformities if necessary.