If an organisation has DC issued by external party, and the organisation does NOT use an other encryption controls , will the control 10.1.1 and 10.1.2 be applicable ?? the organisation does not generate any digital certificate.
Answer: If your organization makes use of digital certificates, both controls A.10.1.1 (Policy on the use of cryptographic controls) and A.10.1.2 (Key management) should be stated as applicable.
The reason for application of A.10.1.1 is because you should have clear rules about when, how, and by whom these certificates should be used, and how they should be managed.
As for A.10.1.2, the adoption of practices for protection of cryptographic keys should be included as a clause in the service agreement with the provider, so you can ensure they will provide at least the same level of protection as if your organization was managing the keys itself.
Please note that when stating a control as applicable, you could use as justification results of risk assessment, top management decision, or compliance with a legal or cont ractual requirement.