Respond to : The SoA must involve a list in the security controls from Annex A of ISO/IEC 27001. It must also demonstrate the steps to implement Every control, like any modifications or exclusions and references about policies, procedures, or documents. Understanding the meaning of ISO 27001