Excluding secure development from Statement of Applicability
Assign topic to the user
14.1.2
14.1.3
14.2.1
14.2.2
14.2.3
14.2.4
All the way till
15.1.3
Answer: If your risk assessment has proved there are no risks, and there are no contractual or regulatory requirements in this respect, then you can exclude these controls from SoA - in this case, you have to explain the reason for their exclusion. If you use our SoA template, you will mark those controls as non-applicable, and in the column "Reason" briefly explain that there are no risks and no requirements.
However, controls A.14.1.2 and A.14.1.3 are related to e-commerce, so if you have web shop, it will be difficult to exclude those. Further, controls from A.15 are about suppliers, which include your telecom provider, so it will be difficult to exclude anything from A.15.
Comment as guest or Sign in
Jan 12, 2016