Annex A: Statement of Applicability (SoA) Template
Purpose:
Provide a comprehensive record of all implemented controls under ISO 27001, including any exclusions with justification.
Contents:
List of all applicable controls (e.g. A.9, A.12, A.16, A.18). Details of whether each control is implemented, partially implemented or excluded. Justification for Exclusions: Provide clear, documented rationale for any controls not implemented. Date of last review and planned update schedule.
Annex B: Risk Assessment and Treatment Reports Template
Purpose:
Detail the methodology, findings and treatment measures derived from the risk assessment process.
Contents:
Risk Identification Process: Description of methods and tools used to identify and prioritise risks. Table or matrix listing identified risks, including probability, impact and risk rating. Detailed listing of existing and planned controls for each identified risk. Specific timelines, responsibilities and milestones for risk treatment and mitigation. Review and Update Protocol: Schedule for regular reassessment and documentation of changes.
Annex C: Incident Response Plan Summary Template
Purpose:
Summarise the processes and protocols in place for responding to information security incidents.
Contents:
Methods and tools for identifying security incidents (e.g. SOC monitoring, automated alerts). Step-by-step actions to be taken during an incident, including escalation pathways and the role of the Crisis Management Team. Procedures for data restoration and business continuity post-incident. Internal and external notification protocols, including timelines and responsible parties. Guidelines for documenting lessons learned and updating policies or controls. Scheduled reviews of the incident response plan to ensure continued effectiveness.
