Can the risk be accepted and the control not applied?
Assign topic to the user
Answer: You shouldn't mix the terms here - the ISMS scope refers to which information you are protecting and which information is not protected (it is out of the scope); within the ISMS scope you can decide which controls to apply and which not to apply.
To answer your question - if you have identified a risk which is low and decided to accept it and not to apply the related control, this is something you are allowed to do. The certification auditor shouldn't object to that, but the auditor can object if you didn't take into account all the vulnerabilities and threats, and if you didn't apply the assessment scale systematically. From my own experience, companies very often bend their own risk assessment approach in order to avoid certain controls - this is what the certification auditors are allergic about.
Comment as guest or Sign in
Jan 12, 2016