ISMS SoA & Risk Treatment Author
Get Started with This SkillOverview
Guided elaboration of ISMS documentation for ISO/IEC 27001: context, risk assessment, risk treatment plan, Statement of Applicability (SoA), and security policies. Ensures every Annex A control has status and justification and flags missing risk treatment for unacceptable risks.
Getting Started
Add your source materials to the project workspace, then activate the ISMS SoA & Risk Treatment Author skill. The agent will guide you through the process step by step.
Example Conversation
You: We’re preparing for ISO 27001 certification. I have a draft SoA with about 60 controls filled in. Can you help complete the rest and check that every Annex A control has a status and justification?
Agent: I’ll work from your existing SoA. First I’ll run the
check_soa_control_coveragetool on the document to see which controls are referenced and which are missing status or justification. Then we can complete the gaps.Agent: The tool found 62 Annex A controls referenced in your SoA. It flagged 8 controls (e.g. A.5.12, A.6.5) where status or justification isn’t clearly documented nearby. It also noted that your risk treatment section mentions “unacceptable risks” but doesn’t clearly list owners and deadlines for each. I’ll add justification placeholders for the 8 controls and suggest a risk treatment table with owner and deadline columns.
You: Add the table. We’ll assign owners internally.
Agent: I’ve added a risk treatment table template and completed the missing control justifications. Re-run
check_soa_control_coverageafter you assign owners to confirm the risk treatment warning is resolved.
Sample Output Excerpt
Below is an excerpt from a Statement of Applicability section, showing how controls are documented with status and justification.
Statement of Applicability (excerpt)
| Control | Title / theme | Applicable? | Justification / implementation |
|---|---|---|---|
| A.5.1 | Policies for information security | Yes | ISMS policy v2.1; reviewed annually. |
| A.5.2 | Information security roles and responsibilities | Yes | RACI in ISMS manual; role descriptions in HR. |
| A.5.7 | Threat intelligence | Not applicable | No dedicated threat-intel function; risks covered by 5.24–5.26. |
| A.6.3 | Information security awareness, education and training | Yes | Annual awareness campaign; new-joiner training; ref. procedure ISMS-06. |
| A.8.24 | Use of cryptography | Yes | Key management and TLS per procedure ISMS-12. |
Risk treatment plan: Unacceptable risks (R-03, R-07, R-11) have assigned owners and target completion dates in the risk register.
Built-in Validation Tools
The skill includes an extension tool that checks ISMS documentation for SoA and risk treatment coverage.
What the tool checks
| Check | check_soa_control_coverage |
|---|---|
| SoA section | Detects a Statement of Applicability or Annex A section |
| Annex A references | Counts how many of the 93 controls (A.5.1–A.8.34) are referenced |
| Status and justification | For each referenced control, checks that “applicable”/“not applicable” and justification appear nearby |
| Risk treatment | Looks for unacceptable/high risks and checks that risk treatment, owner, or deadline is documented |
| Findings | Reports WARNING/INFO for missing status, justification, or risk treatment |
Example validation output
======================================================================
ISMS SoA & RISK TREATMENT COVERAGE REPORT
ISO/IEC 27001:2022 Annex A
======================================================================
Document: docs/soa.md
Annex A controls referenced: 62 / 93
--- FINDINGS ---
[WARNING] Control A.5.12: ensure status (applicable/not applicable) and justification are documented.
[WARNING] Document mentions unacceptable or high risks but risk treatment section does not clearly define treatment, owner, or deadline.
[INFO] 31 Annex A controls not referenced in the document.
--- SUMMARY ---
Errors: 0
Warnings: 2
======================================================================
Run the tool on your SoA or combined ISMS document after drafting or updating; address warnings before certification review.