New SaaS, merger, outsourcing or region change? Your ISMS scope shifts — and your Statement of Applicability (SoA) must follow before auditors or enterprise customers spot the gap.
When must you update the SoA?
- new product line or tenant outside current scope;
- critical vendor or subprocessor added;
- control dropped or replaced (e.g. MFA, logging, backup);
- major non-conformity or incident with scope impact.
Steps after a scope change
- Update scope/context document and risk assessment.
- Review Annex A controls: applicable, excluded, with rationale.
- Assign control and evidence owners for new parts.
- Plan internal sampling before external audit.
Deep dive: SoA ISO 27001, scope & context and risk assessment.
Cloud migrations in 2026 are the most common scope trigger: shared responsibility shifts controls to the vendor, but your SoA must record which measures you still perform and which you cover via contract and monitoring.
After merger or acquisition: harmonise scope within 90 days or document temporary exceptions with board decision. Auditors accept transition, not unclear boundaries between old and new entities.
Link SoA updates to change management. Every major change ticket should trigger: scope, SoA, risk and evidence map updated? That prevents surveillance findings on stale documentation.
Change management as trigger
Every major change — new SaaS, datacentre, merger or outsourcing — should trigger a fixed checklist: scope document, risk assessment, SoA, control owners and evidence map. Without it, documentation lags reality until the auditor spots the gap.
Cloud shared responsibility means recording explicitly which controls the vendor covers and which you monitor. Copy-paste vendor marketing into the SoA fails; auditors ask for tenant configuration and contract clauses.
After scope change, plan internal sampling before external audit. Let control owners explain new parts — that reveals gaps faster than document review alone.
Keep versions of scope and SoA with date and approver. In due diligence, buyers sometimes want to see how scope grew with the business over recent years.
Communicate scope changes proactively to major customers when contracts reference ISMS scope. A short factsheet prevents due diligence finding a stale SoA. Internally: train project leads that every major change triggers the checklist.
Change management as fixed trigger
Every major change — new SaaS, datacenter, merger — should trigger a fixed checklist: scope document, risk assessment, SoA, control owners, evidence map. Without it documentation lags until the auditor spots the gap.
Communicate scope changes proactively to major customers when contracts reference ISMS scope. A short factsheet prevents due diligence finding a stale SoA.
Cloud shared responsibility: record explicitly which controls the vendor covers and which you monitor. Copy-paste vendor marketing in the SoA fails at surveillance.
Next steps in your ISMS
Turn this article into one concrete action in your risk register or improvement plan: owner, deadline, expected evidence. Discuss progress in the next management review — auditors and chain partners want decisions, not policy intent alone. Link where possible to existing ISO 27001, NIS2 or GDPR documentation so you do not maintain parallel folders.
Questions on scope, certification or chain requirements? Use our readiness overview and knowledge base for deeper guidance. This article does not replace legal or audit advice for your situation.
Share relevant findings briefly with line management and procurement — compliance becomes workable when the whole organisation recognises the same priorities. Repeat the chosen action quarterly in team meetings and update evidence locations in your SoA or control plan so surveillance samples are easy to answer.
What to do this week
Pick one concrete action from this article, assign an owner and add it to your risk or improvement register with a deadline. Share briefly in team meetings so compliance is something the line recognises. Repeat quarterly in management review so leadership sees progress, not only intent.
Note: this article is educational and does not replace legal, privacy or audit advice for your specific situation.
Evidence and governance
Record who owns the measures in this article and how you prove operation in the sample period — logs, tickets, approved changes or exercise reports. Certification bodies and chain partners do not accept intent without samples. Link evidence locations to your SoA or control plan so internal and external audit use the same sources.
Chain and contracts
Many 2026 requirements come via customers, not only formal law scope. Align contract SLAs with your ISMS: incident notification, audit rights, patch timelines and exit. Document where contract is stricter than internal policy — management review must explicitly accept that gap or plan investment.
