Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Excluding secure development from Statement of Applicability

If we don't have any development activities in our org. So secure development is not applicabpe and secure dev policy accordingly not needed. So what shoud I put in SOA as existing controls for controls number

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

14.1.2
14.1.3
14.2.1
14.2.2
14.2.3
14.2.4
All the way till
15.1.3

Answer: If your risk assessment has proved there are no risks, and there are no contractual or regulatory requirements in this respect, then you can exclude these controls from SoA - in this case, you have to explain the reason for their exclusion. If you use our SoA template, you will mark those controls as non-applicable, and in the column "Reason" briefly explain that there are no risks and no requirements.

However, controls A.14.1.2 and A.14.1.3 are related to e-commerce, so if you have web shop, it will be difficult to exclude those. Further, controls from A.15 are about suppliers, which include your telecom provider, so it will be difficult to exclude anything from A.15.

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community