Control application

Answer: To identify if a control is needed for the scope of an organization you need:
- to perform a risk assessment to identify if there are unacceptable risks related to the scope that can be mitigated by the control you are considering;
- to evaluate if legal requirements, such as laws, industry regulations, or contracts, demands the application of the control.
- to consult top management decisions regarding which controls should be applied regardless the results of risk assessments and legal requirements.

If after that you identify no reason to apply the control you can consider it out of your ISMS scope.

2 - How to use ISO 27000 series on small/medium small companies, where the it function is 1-10 people!?

Answer: ISO 27001 was designed to be implemented by organizations of any size, but small companies need to take care they do not write too many documents (the standard itself only require few of them).

These articles will provide you further explanation abou t ISO 27001 implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
- List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
- The 3 key challenges of ISO 27001 implementation for SMEs https://advisera.com/27001academy/blog/2017/04/17/the-3-key-challenges-of-iso-27001-implementation-for-smes/

These materials will also help you regarding risk assessment:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001: An overview of the ISMS implementation process [free webinar] https://advisera.com/27001academy/webinar/iso-27001-overview-isms-implementation-process-free-webinar-demand/