- Current Requirement in ISO 27001
ISO 27001 currently mandates that the SoA must include justifications for both the inclusion and exclusion of each Annex A control. This requirement is often interpreted to mean that organizations must provide individual reasoning for every control listed or omitted. - Guidance from ISO 27005:2022
ISO 27005:2022 clarifies that only controls identified through risk assessment and treatment planning should be included in the SoA. These controls are selected because they help reduce risk to acceptable levels. The guidance explicitly states that no further justification is necessary for their inclusion. - Exclusion Justification Also Redundant
By extension, the only valid reason for excluding a control is that it was not identified as necessary in the risk treatment plan. If a control does not mitigate any identified risk, there is no need for it to appear in the SoA, and thus, no detailed justification is required. - Controls Must Be Risk-Driven
Controls exist to manage or modify risks. Including or excluding them must be directly based on whether they are necessary for risk treatment. Requiring extra justification, separate from the risk assessment, is logically inconsistent with the function of controls within an ISMS. - Recommendation to Remove the Justification Requirement
Given this risk-based logic, the recommendation is to eliminate the need for detailed justifications of inclusions or exclusions in the SoA. This requirement appears to be an error or legacy clause in ISO 27001 that contradicts more recent guidance. - Alignment with ISO 27005 and Future ISO 27003
This position aligns with ISO 27005:2022, which supports a simplified, risk-driven approach to the SoA. It is anticipated that the upcoming ISO 27003 update will reinforce this same guidance, helping to resolve the inconsistency across standards. - Practical Experience Supports the Change
Despite popular belief, individualized justifications are not essential. The author has implemented many ISO 27001-certified ISMSs over the past decade without providing such justifications—and all achieved certification successfully. - Simplified SOA Approach Recommended
The SOA should only list necessary controls derived from the risk assessment, with no additional rationale needed for inclusion or exclusion. Controls not identified as necessary should simply not be listed, and the SOA should remain tightly aligned with the risk treatment plan.
Source: ISO27001 suggested change 13
ISO 27001 Compliance: Reduce Risks and Drive Business Value
ISO 27001:2022 Risk Management Steps
How to Continuously Enhance Your ISO 27001 ISMS (Clause 10 Explained)
Continual improvement doesn’t necessarily entail significant expenses. Many enhancements can be achieved through regular internal audits, management reviews, and staff engagement. By fostering a culture of continuous improvement, organizations can maintain an ISMS that effectively addresses current and emerging information security risks, ensuring resilience and compliance with ISO 27001 standards.
ISO 27001 Compliance and Certification
Security Risk Assessment and ISO 27001 Gap Assessment
At DISC InfoSec, we streamline the entire process—guiding you confidently through complex frameworks such as ISO 27001, and SOC 2.
Here’s how we help:
- Conduct gap assessments to identify compliance challenges and control maturity
- Deliver straightforward, practical steps for remediation with assigned responsibility
- Ensure ongoing guidance to support continued compliance with standard
- Confirm your security posture through risk assessments and penetration testing
Let’s set up a quick call to explore how we can make your cybersecurity compliance process easier.
ISO 27001 certification validates that your ISMS meets recognized security standards and builds trust with customers by demonstrating a strong commitment to protecting information.
Feel free to get in touch if you have any questions about the ISO 27001 Internal audit or certification process.
Successfully completing your ISO 27001 audit confirms that your Information Security Management System (ISMS) meets the required standards and assures your customers of your commitment to security.
Get in touch with us to begin your ISO 27001 audit today.
ISO 27001:2022 Annex A Controls Explained
Preparing for an ISO Audit: Essential Tips and Best Practices for a Successful Outcome
Many companies perceive ISO 27001 as just another compliance expense?
ISO 27001: Guide & key Ingredients for Certification
DISC InfoSec Previous posts on ISO27k
ISO certification training courses.
Difference Between Internal and External Audit
InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory | ISO 27k Chat bot | Comprehensive vCISO Services | ISMS Services | Security Risk Assessment Services
May 10th, 2025 9:58 am
[…] ISO 27001’s Outdated SoA Rule: Time to Move On […]
May 11th, 2025 10:51 am
[…] ISO 27001’s Outdated SoA Rule: Time to Move On […]
May 12th, 2025 1:12 pm
[…] ISO 27001’s Outdated SoA Rule: Time to Move On […]