Justification and control objectives

Please note that justifications in the Statement of Applicability need to be based on applicable legal requirements, relevant risks, or management decisions (in general because management considers the implementation of control as a good practice).

Considering that, the fact that you operate on a remote structure wouldn’t be enough. Since you stated that you do not have legal or contractual reasons for justifying some controls, you should review the results of the risk assessment to see if any identified risk can be used as a justification. If there are no relevant risks, you do not need to implement any controls.

In case you decide to implement a control regardless of the lack of legal requirements and relevant risks, you can state as justification that the control implementation is considered good practice management.

For further information, see:

• How to apply information security controls in teleworking according to ISO 27001 https://advisera.com/27001academy/blog/2021/10/27/how-to-use-iso-27001-to-secure-data-when-working-remotely/
• Checklist of cyber threats & safeguards when working from home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home