What document contains information about the scope and risk treatment plan in ISO 27001?

The Statement of Applicability (SOA) is a key document in the ISO 27001 framework. It outlines the scope of the Information Security Management System (ISMS) and details the risk treatment plan. This document provides a comprehensive overview of the controls that are selected to manage identified risks, indicating which controls are applicable, which are not, and the rationale behind these decisions. Furthermore, it serves as a bridge between the risk assessment outcomes and the actual implementation of controls, ensuring that all aspects of risk management are systematically addressed.

The SOA is critical because it not only defines the controls that have been chosen to mitigate risks but also offers insights into the reasoning for exclusions or adjustments to the standard controls proposed in Annex A of ISO 27001. By establishing the scope and context of the ISMS, the SOA also helps to ensure that all stakeholders are aligned on the objectives and requirements of the information security program.

In contrast, while the information security policy sets the overall direction and principles for information security, and the risk assessment report contains the findings from the risk assessment process, it is the SOA that specifically combines the scope of the ISMS and the associated risk treatment actions into a coherent document. The data protection plan, on the other hand