Thank you for the informative blog post. Is there any chance to see a ISO 27001 Lead Auditor course from you in the future? That would be amazing.

Very insightful article. Although seemingly apparent, it is true that most people do not begin with risk. Another confusion I came across is regarding whether one should include clauses too, alongside 93 reference controls, in the SOA for a 2nd line guy, or in an RCM if s/he is an internal auditor performing compliance check. Clause-6 clearly states we should pick and choose from the 93, but this question still pops up from someone or the other. I mean the 93 controls are meant to cover all the clauses right.

I don't see the value added if you reference to Annex A controls if you defined your own custom controls. It's not necessary you could exclude Annex A control and just define your own controls. Maybe this approach is shown here because there is a risk that uneducated auditors would not accept excluding Annex A controls.

Wow! I always knew there was so much more to SoA than I’ve seen so far.

This is good! Thank you for putting this out.

+1. Also, we are so used to this ‘reverse engineering and going backward mentality’ that we tag every missing control as ‘risk’.

https://www.sripati.info/p/lack-of-captcha-is-not-always-a-valid-vulnerability-or-risk