In the SoA document, the organization selects from a list of possible measures which measures it wants and does not want to implement to address the identified risks.
The list of measures to be considered is given in ISO/IEC 27001 Annex A.
Preparation of the SoA document is intended to be a follow-up on the risk management plan, but is carried out in practice in a parallel process since the measures in Annex A can be used as a checklist to ensure that risks have been managed according to regulations.
The SoA document must include justifications as to why certain measures may have been deselected. The selected measures constitute the basis of action plans for activities intended to result in implementation of the measures.
In addition to the list of measures in Annex A, the SoA document must also include other measures which are deemed relevant to the individual organization. Legislation must be taken into account.
The completed SoA document must be approved by the management of the organization.