Take the ISO 27001 course exam and get the EU GDPR course exam for free
LIMITED-TIME OFFER – VALID UNTIL SEPTEMBER 30, 2021

Expert Advice Community

Guest

Statement of Applicability

  Quote
Guest
Lajvar Created:   Mar 02, 2021 Last commented:   Mar 03, 2021

Statement of Applicability

If after certifying the company there are changes in the SOA, what should proceed with the external audit?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 03, 2021

If there are changes in the SOA after certifying the company you have to:

  • review the risk assessment and treatment and the list of legal requirements, and update those so you can provide the basis you need to justify the changes in the SoA
  • update the SoA to reflect the new status (i.e., update the status of controls and their justifications), and have it approved by top management
  • update the risk treatment plan considering these new SoA
  • implement the new controls, and gather evidence that the new applicable controls are working and achieving defined objectives.

Basically, you have to perform the risk assessment and treatment again.

For further information, see:

Regarding the external audit, when the SoA is changed you need to inform the certification body about the changes made, so it can verify if the surveillance audit needs adjustment, either in duration or in the number of required auditors, due to the change in the number of applicable controls. You need to communicate this as soon as possible.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 02, 2021

Mar 03, 2021

Suggested Topics