In the SoA document, the organization selects from a list of possible measures which measures it wants and does not want to implement to address the identified risks.
The list of measures to be considered is given in ISO/IEC 27001 Annex A.
Preparation of the SoA document is intended to be a follow-up on the risk management plan, but is carried out in practice in a parallel process since the measures in Annex A can be used as a checklist to ensure that risks have been managed according to regulations.
The SoA document must include justifications as to why certain measures may have been deselected. The selected measures constitute the basis of action plans for activities intended to result in implementation of the measures.
In addition to the list of measures in Annex A, the SoA document must also include other measures which are deemed relevant to the individual organization. Legislation must be taken into account.
The completed SoA document must be approved by the management of the organization.
Owing to increased digitalization, the risk of cyber-attacks and other types of IT crime increases accordingly. Therefore, ISO 27001 on information security is a standard that every company or organization should consider.
ISO/IEC 27002 provides guidance on selecting controls for implementing an information security management system.
The standard on privacy information management, ISO/IEC 27701, ensures proper processing of personal data.