Information security

What is a SoA document

A SoA document consists of a list of measures that a person can implement as part of the organization's risk management effort.

What is a SoA document?

In the SoA document, the organization selects from a list of possible measures which measures it wants and does not want to implement to address the identified risks.

The list of measures to be considered is given in ISO/IEC 27001 Annex A.

Preparation of the SoA document is intended to be a follow-up on the risk management plan, but is carried out in practice in a parallel process since the measures in Annex A can be used as a checklist to ensure that risks have been managed according to regulations.

The SoA document must include justifications as to why certain measures may have been deselected. The selected measures constitute the basis of action plans for activities intended to result in implementation of the measures.

In addition to the list of measures in Annex A, the SoA document must also include other measures which are deemed relevant to the individual organization. Legislation must be taken into account.

The completed SoA document must be approved by the management of the organization.


Berit Aadal
Berit Aadal Seniorkonsulent | Senior Consultant
Standardisering | Digital & Bæredygtighed
T: 39 96 62 96

More information

ISO/IEC 27001 Information security management

ISO/IEC 27001

ISO/IEC 27001 Information security management

Owing to increased digitalization, the risk of cyber-attacks and other types of IT crime increases accordingly. Therefore, ISO 27001 on information security is a standard that every company or organization should consider.

ISO/IEC 27002 – Information security controls

ISO/IEC 27002

ISO/IEC 27002 – Information security controls

ISO/IEC 27002 provides guidance on selecting controls for implementing an information security management system.

ISO/IEC 27701 Privacy information management

ISO/IEC 27701

ISO/IEC 27701 Privacy information management

The standard on privacy information management, ISO/IEC 27701, ensures proper processing of personal data.