User
Let's assume we added a policy for some control in SoA. What do we do if we later realize that we need to implement technical measures?
Experta
An organization can update the Statement of Applicability (SoA) after it has been approved. The SoA is a living document that can be updated as needed to reflect changes in the organization's approach towards information security.
It is important to ensure that any modifications to the SoA are justified, formally approved, and recorded according to your document control procedure.
Examples:
For example, if new technical measures are identified or deemed necessary after the initial approval of the SoA, they can be added for a particular control.