Exclusion of controls
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. doesn't have any e-commerce activities
2. doesn't have internal software development activities. There are an internal IT department, but software development is externalized.
Answer:
Point 1: In the ISO 27001:2013 there is no control directly related to e-commerce. You can find the control A.14.1.3 Protecting application services transactions but it can be for any transactions, not only related to e-commerce.
Point 2: In principle you can exclude all controls related to the A.14.2 Security in development and support processes: A.14.2.1 Secure development policy, A.14.2.2 System change control procedures. Etc.
Keep in mind that the exclusion of controls can be made only after the risk assessment is finished.
Finally, I recommend you to read this article "The basic logic of ISO 27001: How does information security work?" : https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
Comment as guest or Sign in
Jan 12, 2016