As a small organisation of only 6 staff that does no software development and only uses large-scale third-party systems such as Office 365, Windows 10, etc. am I safe to rule out all section 14 controls within Annex A other than the two listed below?
- A.14.2.4 Restrictions on changes to software packages
- Covered by the Change Management Policy
- A.14.2.7 Outsourced development
- Covered by the Supplier Security Policy"