--- title: "ISO/IEC 27001 FAQ: ISMS Scope, Risk and SoA" canonical_url: "https://www.sorena.io/artifacts/global/iso-27001/faq" source_url: "https://www.sorena.io/artifacts/global/iso-27001/faq/items/page/2" author: "Sorena AI" description: "Practical ISO/IEC 27001 FAQ covering ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, certification evidence, audits, management review, and surveillance readiness." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ISO/IEC 27001 FAQ" - "ISO 27001 ISMS scope" - "Statement of Applicability" - "ISO 27001 risk treatment" - "Annex A controls" - "ISO 27001 certification evidence" - "ISO 27001 internal audit" - "ISO 27001 management review" - "ISO/IEC 27001" - "ISMS" - "certification evidence" - "global compliance" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ISO/IEC 27001 FAQ: ISMS Scope, Risk and SoA Practical ISO/IEC 27001 FAQ covering ISMS scope, risk assessment, risk treatment, Statement of Applicability, Annex A controls, certification evidence, audits, management review, and surveillance readiness. *ISO/IEC 27001 FAQ* *ISMS implementation* *ISO/IEC 27001:2022* ## ISO/IEC 27001 FAQ Clear answers for teams implementing ISO/IEC 27001: define the ISMS scope, assess information security risk, choose treatment options, build the Statement of Applicability, and keep audit evidence current. Use this as implementation guidance for an information security management system, not for legal interpretation or a substitute for an accredited certification audit. ISO/IEC 27001 is easiest to operate when the FAQ is tied to actual ISMS decisions: what is in scope, which risks were assessed, which controls were selected, what evidence proves they operate, and what leadership reviews when the ISMS changes. ## Browse sub-FAQ modules ### [ISO/IEC 27001 Annex A Control Ownership FAQ](/artifacts/global/iso-27001/faq/annex-a-control-ownership.md) How should teams assign Annex A Control Ownership under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27001 Certification Body Evidence FAQ](/artifacts/global/iso-27001/faq/certification-body-evidence.md) How should teams handle Certification Body Evidence under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27001 Internal Audit FAQ](/artifacts/global/iso-27001/faq/internal-audit.md) How should teams run ISO/IEC 27001 internal audits: who should own each step, what evidence is expected, and how findings are resolved. - 4 items ### [ISO/IEC 27001 Management Review FAQ](/artifacts/global/iso-27001/faq/management-review.md) How should teams handle Management Review under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27001 Risk Acceptance FAQ](/artifacts/global/iso-27001/faq/risk-acceptance.md) How should teams handle Risk Acceptance under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27001 SoA Exclusions FAQ](/artifacts/global/iso-27001/faq/soa-exclusions.md) How should teams justify Statement of Applicability exclusions under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - 4 items ### [ISO/IEC 27001 Surveillance Audits FAQ](/artifacts/global/iso-27001/faq/surveillance-audits.md) How should teams handle Surveillance Audits under ISO/IEC 27001? Practical answer with owners, evidence, review triggers, and external source references. - 4 items Browse all indexed questions: [/artifacts/global/iso-27001/faq/items](/artifacts/global/iso-27001/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 8 of 28 items.* ### [How should teams justify Statement of Applicability exclusions under ISO/IEC 27001?](/artifacts/global/iso-27001/faq/soa-exclusions.md#how-should-teams-justify-statement-of-applicability-exclusions-under-isoiec-27001) *Module: [ISO/IEC 27001 SoA Exclusions](/artifacts/global/iso-27001/faq/soa-exclusions.md)* Start with the operational decision: define what SoA Exclusions means in your ISO/IEC 27001 scope, who owns it, and what record proves the decision is current. - Name the accountable owner and reviewer for SoA Exclusions. - Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger. - Escalate when SoA Exclusions changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - This source supports control implementation guidance and control-implementation expectations supporting ISO/IEC 27001 governance. ### [What evidence should prove SoA Exclusions is current under ISO/IEC 27001?](/artifacts/global/iso-27001/faq/soa-exclusions.md#what-evidence-should-prove-soa-exclusions-is-current-under-isoiec-27001) *Module: [ISO/IEC 27001 SoA Exclusions](/artifacts/global/iso-27001/faq/soa-exclusions.md)* The evidence should show the process operating. For this artifact, the strongest record usually includes ISMS scope, risk assessment, treatment plan, Statement of Applicability, Annex A evidence, internal audits, corrective actions, and management review records. - Use source records from the system of work, not screenshots created only for audit day. - Keep exceptions visible as risk acceptance, corrective action, or management-review input. - Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date. Sources for this answer: - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - This source supports control implementation guidance and control-implementation expectations supporting ISO/IEC 27001 governance. - [ISO/IEC 27005:2022 standard page](https://www.iso.org/standard/80585.html?ref=sorena.io) - This source supports risk treatment and monitoring context that informs control decisions and residual risk handling. ### [Who should approve SoA Exclusions decisions under ISO/IEC 27001?](/artifacts/global/iso-27001/faq/soa-exclusions.md#who-should-approve-soa-exclusions-decisions-under-isoiec-27001) *Module: [ISO/IEC 27001 SoA Exclusions](/artifacts/global/iso-27001/faq/soa-exclusions.md)* The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions. - Use a named owner, named backup, and named escalation forum. - Separate preparation work from risk acceptance and final approval. - Keep approval records with the evidence rather than in disconnected email threads. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - This source supports control implementation guidance and control-implementation expectations supporting ISO/IEC 27001 governance. ### [When should SoA Exclusions be reviewed under ISO/IEC 27001?](/artifacts/global/iso-27001/faq/soa-exclusions.md#when-should-soa-exclusions-be-reviewed-under-isoiec-27001) *Module: [ISO/IEC 27001 SoA Exclusions](/artifacts/global/iso-27001/faq/soa-exclusions.md)* Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, security-critical system, personal data flow, incident process, or customer commitment changes. - Set a planned review date and a change-trigger rule. - Use findings to update controls, procedures, contracts, risk registers, or training. - Carry unresolved items into management review or risk acceptance. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - This source supports control implementation guidance and control-implementation expectations supporting ISO/IEC 27001 governance. ### [How should teams handle Surveillance Audits under ISO/IEC 27001?](/artifacts/global/iso-27001/faq/surveillance-audits.md#how-should-teams-handle-surveillance-audits-under-isoiec-27001) *Module: [ISO/IEC 27001 Surveillance Audits](/artifacts/global/iso-27001/faq/surveillance-audits.md)* Start with the operational decision: define what Surveillance Audits means in your ISO/IEC 27001 scope, who owns it, and what record proves the decision is current. - Name the accountable owner and reviewer for Surveillance Audits. - Record the scope, assumptions, decision, approval date, evidence location, exception status, and next review trigger. - Escalate when Surveillance Audits changes risk acceptance, service commitments, customer promises, regulatory duties, or certification evidence. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations. - [ISO/IEC 27006-1:2024 standard page](https://www.iso.org/standard/82908.html?ref=sorena.io) - This source states that certification bodies audit and certify ISMS in accordance with ISO/IEC 27001 and supports the certification-body context for surveillance audits. ### [What evidence should prove Surveillance Audits is current under ISO/IEC 27001?](/artifacts/global/iso-27001/faq/surveillance-audits.md#what-evidence-should-prove-surveillance-audits-is-current-under-isoiec-27001) *Module: [ISO/IEC 27001 Surveillance Audits](/artifacts/global/iso-27001/faq/surveillance-audits.md)* The evidence should show the process operating. For this artifact, the strongest record usually includes ISMS scope, risk assessment, treatment plan, Statement of Applicability, Annex A evidence, internal audits, corrective actions, and management review records. - Use source records from the system of work, not screenshots created only for audit day. - Keep exceptions visible as risk acceptance, corrective action, or management-review input. - Update linked registers when the answer changes an owner, risk, control, service, supplier, or review date. Sources for this answer: - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - This source supports control implementation guidance and control-implementation expectations supporting ISO/IEC 27001 governance. - [ISO/IEC 27005:2022 standard page](https://www.iso.org/standard/80585.html?ref=sorena.io) - This source supports risk treatment and monitoring context that informs control decisions and residual risk handling. ### [Who should approve Surveillance Audits decisions under ISO/IEC 27001?](/artifacts/global/iso-27001/faq/surveillance-audits.md#who-should-approve-surveillance-audits-decisions-under-isoiec-27001) *Module: [ISO/IEC 27001 Surveillance Audits](/artifacts/global/iso-27001/faq/surveillance-audits.md)* The person who can fund, operate, and correct the process should own the decision; governance should review consistency and exceptions. - Use a named owner, named backup, and named escalation forum. - Separate preparation work from risk acceptance and final approval. - Keep approval records with the evidence rather than in disconnected email threads. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - This source supports control implementation guidance and control-implementation expectations supporting ISO/IEC 27001 governance. ### [When should Surveillance Audits be reviewed under ISO/IEC 27001?](/artifacts/global/iso-27001/faq/surveillance-audits.md#when-should-surveillance-audits-be-reviewed-under-isoiec-27001) *Module: [ISO/IEC 27001 Surveillance Audits](/artifacts/global/iso-27001/faq/surveillance-audits.md)* Review it at planned intervals and whenever the underlying scope, service, supplier, control, risk, security-critical system, personal data flow, incident process, or customer commitment changes. - Set a planned review date and a change-trigger rule. - Use findings to update controls, procedures, contracts, risk registers, or training. - Carry unresolved items into management review or risk acceptance. Sources for this answer: - [ISO/IEC 27001:2022 standard page](https://www.iso.org/standard/27001?ref=sorena.io) - Use this source as the governing requirements context for ISO/IEC 27001 scope, control governance, and review cadence in ISMS operations. - [ISO/IEC 27002:2022 standard page](https://www.iso.org/standard/75652.html?ref=sorena.io) - This source supports control implementation guidance and control-implementation expectations supporting ISO/IEC 27001 governance. ## FAQ Pagination - Canonical index (page 1): [/artifacts/global/iso-27001/faq/items](/artifacts/global/iso-27001/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/global/iso-27001/faq/items.md) | [2](/artifacts/global/iso-27001/faq/items/page/2.md) [Previous page](/artifacts/global/iso-27001/faq/items.md) *Recommended next step* *Placement: after implementation guidance* ## Operationalize ISO/IEC 27001 Use this FAQ to connect your ISMS scope, risk register, treatment plan, Statement of Applicability, Annex A evidence, internal audit results, and management-review actions into one accountable evidence model. - [Open Assessment Autopilot for ISO/IEC 27001](/solutions/assessment.md): Convert ISO/IEC 27001 answers into owners, evidence requests, control checks, and review tasks. - [Talk through ISO/IEC 27001 implementation](/contact.md): Review your ISMS scope, SoA, risk-treatment evidence, audit readiness, and certification gaps. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/iso-27001/faq/items/page/2