Applicability of A14 for Data Centre
Assign topic to the user
Concern is Reference to Annex A: the 14th domain of ISO 27001:2013 - System acquisition, development and maintenance
Can the entire controls of 14th domain be excluded from Statement of Applicability with appropriate justifying statements?
OR
Would certain sub domains of the 14th domain, which do not specify application relevance and in general addresses 'systems' have to be included in Statement of Applicability?
Answer :
You should select the controls based on 1) legal, regulatory and contractual requirements, 2) risk management activity.
You dont tell if A14 controls are excluded due to the rule above or Application Development and Maintenance are outsourced (because you dont have the internal capability) or are simply excluded from the scope for any other reason.
In the second case, what you out source has to be covered by the controls A15.
However, it sounds me strange to certify an empty IT infrastructure. You probably have data and applications on it. A14.1 is then fully mandatory based on the rule in the first sentence.
Comment as guest or Sign in
Jan 12, 2016