What is the Statement of Applicability (SOA) and what should it be consistent with?
A) The SOA is the end-product of the risk-assessment process and should be consistent with the ISMS policy developed in the early stages of the PDAC process.
B) The SOA is the first draft of the risk-assessment process should be consistent with the ISMS policy developed in the early stages of the PDAC process.
C) The SOA is the end-product of the risk-assessment process and should be contradictive to the ISMS policy developed in the later stages of the PDAC process.
D) The SOA should be consistent with the risk assessment standards found in ISO 9002.

Question

Quizplus · Accepted Answer

The Statement of Applicability (SOA) is the end-product of the risk-assessment process and should be consistent with the Information Security Management System (ISMS) policy developed in the early stages of the PDAC (Plan-Do-Check-Act) process. The SOA is a documented statement that lists all the controls selected for the organization's ISMS based on the identified risks and their impact. The controls selected for the SOA should be consistent with the organization's policies, procedures, and objectives to ensure the effective implementation of the ISMS. ISO 27001:2013 requires the SOA to be regularly reviewed and updated to reflect changes in the risk-level and the organization's business requirements.

Option B is incorrect because the SOA is not the first draft of the risk-assessment process but the output of the process.

Option C is incorrect because the SOA should not be contradictive to the ISMS policy but consistent with it.

Option D is incorrect because ISO 9002 does not provide guidelines for the SOA.

What Is the Statement of Applicability (SOA) and What Should