The SoA is a mandatory ISO27001 document. It contains the set measures from ISO27001:2022's appendix (A5-A8). The measures are explained in more detail in ISO27002. Further information can be found here:
You must do the following for each control
| Legal obligation | There is a legal requirement | Risk Analysis |
|---|---|---|
| Contractual obligation | We have agreed this with a client or partner | Risk Analysis + Legally required |
| Best Practice | We do this voluntarily because we think this is a meaningful measure | Risk Analysis + Contractually required |
| Risk Analysis | We do this because of a risk from our risk analysis | Risk Analysis + Best Practice |
| Other |
Some certifiers require that everything is also linked to a risk.
Therefore, you must first do a risk analysis in order to make an SoA, and an analysis of legal requirements and contractual obligations.