Please note that these items must be implemented only if:
- There are unacceptable risks demanding the implementation of the items
- There are legal requirements demanding the implementation oitemsf the
- There is a top management decision demanding the implementation of the items
If none of the above occurs, you do not need to implement these items.
Considering that, you have to verify what of the above conditions occurs to each item to define which one, or both, will be implemented.
This article will provide you further explanation about selecting controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
This material will also help you regarding selecting controls:
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/