Which document can serve as audit evidence to verify conformity to clause 4.3 Determining the scope of the information security management system of ISO/IEC 27001?

The Statement of Applicability (SoA) is a crucial document that outlines the controls selected from ISO/IEC 27001 Annex A and provides justification for their inclusion or exclusion. It specifically aligns with clause 4.3, which focuses on determining the scope of the Information Security Management System (ISMS). The SoA demonstrates how the organization has identified its information security needs based on various factors, including legal, regulatory, and contractual requirements, as well as the risk assessment process.

In this context, the SoA offers clear insight into the organization's security posture and the controls that are deemed necessary to mitigate identified risks, thus validating the scope determined under clause 4.3. This documentation is fundamental in audits, as it provides a tangible reference point for auditors to assess whether the information security management system covers all relevant aspects outlined in the defined scope.

Other documents, while important to the overall ISMS, do not specifically serve to confirm the scope determination as effectively as the SoA. The information security policy outlines the organization's approach to managing security risks but does not detail the specific controls chosen. The risk assessment report identifies potential risks but does not define the boundaries or scope of the ISMS itself. An audit plan outlines what will be audited but does not