Can we exclude A 14.2.2 if a company is a bodyshop for other company and the vendor only performs code changes, updations and customizations based on client change management policy.
Assign topic to the user
Expert
Dejan Kosutic
Jan 20, 2020
The exclusion of controls in ISO 27001 can be made only if there are no related risks, and if there are no legal or contractual requirements.
So you have to perform risk assessment and review all the requirements, and then you can conclude whether you can exclude this control.
These materials will also help you regarding exclusion of controls, managing risks and listing requirements:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own
https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/ - Free online training ISO 27001 Foundations Course
https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 20, 2020
Jan 20, 2020
Jan 20, 2020