Who writes the Statement of Applicability?
Assign topic to the user
Answer: ISO 27001 does not define who should write the Statement of Applicability, but good practice is that this document is written by a person who is a project manager for the ISO 27001 implementation - in most cases this is the CISO. Project manager/CISO is usually in the best position to collect all the information from other departments and fill them into the SoA.
If you had several people updating the SoA, you would have a problem of integrity of this document.
ISO 27001 does not require you to determine the maturity level of the controls, it only requires you to state whether they are implemented or not (clause 6.1.3 d).
Comment as guest or Sign in
Jan 12, 2016