SoA risks

Before the sun came up this morning, fueled by strong coffee and prompted by yet another lame social media thread about this, I've written a new FAQ concerning disclosure of the Statement of Applicability.

On LinkeDin, there's the usual confusing muddle of concerns and conflicting advice when someone asked whether a company can share its SoA, adding that (according to someone on Reddit last night [allegedly]) the [certification?] auditor said they "cannot share the SoA because it is confidential".

Poppycock! Someone has clearly misunderstood.

~30 respondents dance around the topic, expressing opinions and telling us what they do, what they've seen or what they've heard. "I NEVER trust a iso27001 certification without seeing the SOA." states one, definitively. Another warns us "Do not do business with a company that says 'the standard does not allow me to share this' if you value your data". These and other similar responses are well-meaning, but most miss the point ... so I mulled it over for a bit and added to the ISO27k FAQ.

Bottom line: in essence, organisations should manage the associated risks. Easy-as.