My questions revolve around Annex A - in what format do we use Annex A in documentation. Do we leave it as it is provided by the standard? Do we annotate our specifics into it? Is it an actual Annex to the main ISMS document? When I look at the Statement of Applicability - it is identical but used in an audit / gap analysis context. Does the SOA include Annex A, in which case it is Annex A or should they be kept separate? I think I understand the functionality of the main ISMS document and the SOA - I just dont see how Annex A is used without duplication of information with the SOA.
ISO 27001 Annex A is not to be used as a document for the ISMS. It is a reference for the definition of which controls to use to protect information and to built the Statement of Applicability. The SoA differs from Annex A because it only makes reference to the controls on Annex A (it does not contain the description of each control), and contains other information, such as which controls are applicable, whether they are implemented or not, and justi fication of controls from Annex A you are not using.