Applicability of controls

Delete this item if control A.9.2.1 is marked as inapplicable in the Statement of Applicability

This implies that Access Control may not be mandatory. However, it seems a bit against the principles of ISO 27001 to disregards Access Control to information assets. In the documentation I find elsewhere seems to indicate that this is in fact mandatory.

Would you care to elaborate on that, for me, please?

Answer: A control from Annex must be applied only if one of the following occurs:
- There are risks identified as unacceptable in the risk assessment that require the implementation of the control
- There are legal requirements (e.g., laws, regulations, contracts, etc.) that require the implementation of the control
- There is a top management decision requiring the implementation of the control

If none of these occurs there is no need to implement a control considering ISO 27001 requirements.

These articles will provide you further explanation about risk assessment:
- ISO 2700 1 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/

- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/

These materials will also help you regarding risk assessment:
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/