SOA for a global company

1. Can we add a column to the SOA justifying that one country does not develop? Or will that country have an own SOA?

Please note that justification for applicability/non-applicability of control is a mandatory requirement for the SoA (clause 6.1.3 “d”), so in case you have a control that is applicable to one country but not to the other, you can use this column to inform to which country the control applies or not.

For example: Control xxx is applicable to country A due to relevant risks aaa and bbb, but it is not applicable to country B because there are no relevant risks or legal requirements that justify its implementation. 

To see an SoA document compliant with ISO 27001, please access this free demo: https://advisera.com/27001academy/documentation/statement-of-applicability/

For further information, see:

• Statement of Applicability in ISO 27001 – What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. Show we also add this to the scope statement? because not all controls apply to one country

Please note that the ISMS scope is written before the risk assessment and SoA, and it does not specify controls - it only specifies which parts of the company are included in the scope.

For further information, see:

• How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
• Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
• Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/