Expert Advice Community

Guest

SOA for a global company

  Quote
Guest
NDM Created:   Jul 20, 2022 Last commented:   Jul 22, 2022

SOA for a global company

We are in de process of certifying a global company. there are 2 countries within the scope. one of the countries within the scope does not develop or maintain systems. 1. Can we add a column to the SOA justifying that one country does not develop? Or will that country have an own SOA? 2. Show we also add this to the scope statement? because not all controls apply to one country Thank you for all the responses.
0 1

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 22, 2022

1. Can we add a column to the SOA justifying that one country does not develop? Or will that country have an own SOA?

Answer: Please note that justification for applicability/non-applicability of control is a mandatory requirement for the SoA (clause 6.1.3 “d”), so in case you have a control that is applicable to one country but not to the other, you can use this column to inform to which country the control applies or not.   

For example:
Control xxx is applicable to country A due to relevant risks aaa and bbb, but it is not applicable to country B because there are no relevant risks or legal requirements that justify its implementation. 

To see an SoA document compliant with ISO 27001, please access this free demo: https://advisera.com/27001academy/documentation/statement-of-applicability/

For further information, see:

- Statement of Applicability in ISO 27001 – What is it and why does it matter? https://advisera.com/27001academy/knowledgebase/the-importance-of-statement-of-applicability-for-iso-27001/

2. Show we also add this to the scope statement? because not all controls apply to one country

Answer: Please note that the ISMS scope is written before the risk assessment and SoA, and it does not specify controls - it only specifies which parts of the company are included in the scope.

For further information, see:

- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- Tool for defining the ISO 27001 ISMS scope https://advisera.com/insight/chatbot-tool-iso-27001-scope/

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 20, 2022

Jul 22, 2022

Suggested Topics