Statement of Applicability & auditor's comments on effectiveness of controls

Statement of Applicability (as well as other ISMS documents) are internal documents that the company develops for managing their security - they should not be produced to serve the certification audit, neither should certification auditor use them as their records.

Certification auditors should use their own forms for noting conclusions and reporting them to you.

The certification body won't issue the certificate if they find major nonconformities (when you lack some important part of the ISMS or when you do not comply at all with some of your documents); if they find Minor nonconformities they will issue the certificate.

There articles can also help you:
- Becoming ISO 27001 certified - How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
- How to get certified against ISO 27001? https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/
- How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/
- How to approach an auditor in a certification audit https://advisera.com/articles/how-to-approach-an-auditor-in-a-certification-audit/

Thank you for your response Dejan.
In my scenario, I am performing a risk assessment (on behalf of my employer) on a third party who is ISO27001 certified.
Although i have seen the certificate to proof certification, I have not seen their certification bodies audit notes or evidcence that provide me with assuarnce that their controls are effective.

Due to a lack of assurance as to the effectivness of secuirty controls in their environment, I am looking to raise a finding and associated risk for this gap and ask that my employers require the third party to undergo a SOC 2 SSAE Type II audit.

Is this a reasonable approach to follow (or over kill) or can the third party (via their certification body) mitigate the need for a SOC 2 SSAE type II audit by providing more evidence on the effectivness of controls.

I'm not sure whether the SOC 2 SSAE Type II audit will be more thorough than the ISO 27001 certification audit, but you can surely ask this third party to show you the certification body audit report that has been done for ISO 27001 certification - that report will show all the findings.

However, if this third party could potentially create a big damage to your company, then probably the best idea is that you perform the audit of this company by yourself (or with your team).