Response : The SoA really should consist of a list with the security controls from Annex A of ISO/IEC 27001. It also needs to explain the steps to implement Each and every control, which include any modifications or exclusions and references relating to policies, procedures, or documents. The truth is, https://iso-27001-what-is-it47025.bloggip.com/32276448/not-known-factual-statements-about-iso-27001-types-of-audit