Reply : The SoA must contain a list in the security controls from Annex A of ISO/IEC 27001. It must also demonstrate the steps to implement Each individual control, which includes any modifications or exclusions and references relating to policies, procedures, or documents. In fact, it's become the de facto https://iso-2700149258.ampblogs.com/about-asset-owner-definition-iso-27001-69053476
