I'm trying to figure out if certain controls should be listed as Not Applicable on an SOA for an organization that doesn't really manage their network in-depth as their users really just log into cloud-based services such as SharePoint & OneDrive remotely from home. To be clear, they do not have a need for anyone like a network engineer especially as they do not do anything like push patches to a production environment & simply do their due diligence on third-parties like Microsoft to make sure they are secure enough to communicate sensitive information. My question is whether the following should be Not Applicable:
A.11.1.1 - A.11.2.5: They seem to all be controls that would only be relevant in a physical environment where people would come in regularly & not one where there is not even a single office.
A.13.1.3: I'm not sure how segregated the network the standard wants for one that doesn't even require a network tech. I would consider sensitive folders being limited to specific privileged users, for example, being enough to satisfy this control for this context.
A.14.1.2 - A.14.1.3: I actually think both of these should be Applicable, but want to make sure. If users are allowed to connect from public networks & securely send sensitive emails, I think it makes sense to include them in the SOA. Confirmation from someone else here would be appreciated.
These are the controls I wanted to clarify the most. I'm sorry if I could've written this all out a little clearer & if these questions have already been answered. I tried searching for a list of controls that would normally be Not Applicable for a typical work from home company that doesn't really own any of their servers, but came up short. If there is already a good filtered list someone already has of typical Not Applicable controls for a SAAS environment like this that would be immensely appreciated. Thank you in advance, this community's always so helpful!
Assign topic to the user
Please note that the SoA needs to be developed based on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts).
In case you do not have a risk relevant enough that justifies the implementation of control, then you do not need to implement it (i.e., state it as applicable in the SoA).
The same applies to legal requirements. In case you do not have a law, regulation, or contract that justifies the implementation of control, then you do not need to implement it.
For further information, see:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
To see examples of applicable controls based on risk assessment, please, see:
- Checklist of cyber threats & safeguards when working from home https://info.advisera.com/27001academy/free-download/checklist-of-cyber-threats-and-safeguards-when-working-from-home
- Diagram of ISO 27001:2013 Risk Assessment and Treatment process https://info.advisera.com/27001academy/free-download/diagram-of-iso-270012013-risk-assessment-and-treatment-process
Comment as guest or Sign in
Oct 19, 2022