Response : The SoA should incorporate a list of your security controls from Annex A of ISO/IEC 27001. It should also make clear the steps to implement Each individual control, such as any modifications or exclusions and references regarding policies, procedures, or documents. ISO 14971:2019