Assign topic to the user
ISO 22301 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 22301 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 22301 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Do you think it is possible to exclude A.12.1.2 for this area from our applicable controls without loosing the certification status?
Answer:
If I understood correctly, the only issue in your current change process is about raising the change in advance. Considering that, the standard requires to control the changes, not necessarily to "raise" them in advance, so there is no need to exclude all the control (you can only exclude the "raise" in advance part).
To exclude a control you have to demonstrate that this exclusion won't arise unacceptable risks, neither will mean not fulfilling contracts, laws or other legal requirements that your organization must be compliant with.
If you can satisfy these conditions this exclusion will not affect the ISO 27 001 certification (but it does not seem your case).
This article will provide you further explanation about controls applicability:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Dec 01, 2018