Statement of Applicability
If after certifying the company there are changes in the SOA, what should proceed with the external audit?
Assign topic to the user
If there are changes in the SOA after certifying the company you have to:
- review the risk assessment and treatment and the list of legal requirements, and update those so you can provide the basis you need to justify the changes in the SoA
- update the SoA to reflect the new status (i.e., update the status of controls and their justifications), and have it approved by top management
- update the risk treatment plan considering these new SoA
- implement the new controls, and gather evidence that the new applicable controls are working and achieving defined objectives.
Basically, you have to perform the risk assessment and treatment again.
For further information, see:
- ISO 27001 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
Regarding the external audit, when the SoA is changed you need to inform the certification body about the changes made, so it can verify if the surveillance audit needs adjustment, either in duration or in the number of required auditors, due to the change in the number of applicable controls. You need to communicate this as soon as possible.
Comment as guest or Sign in
Mar 03, 2021