Not Applicable Controls for SAAS Environment
I'm trying to figure out if certain controls should be listed as Not Applicable on an SOA for an organization that doesn't really manage their network in-depth as their users really just log into cloud-based services such as SharePoint & OneDrive remotely from home. To be clear, they do not have a need for anyone like a network engineer especially as they do not do anything like push patches to a production environment & simply do their due diligence on third-parties like Microsoft to make sure they are secure enough to communicate sensitive information. My question is whether the following should be Not Applicable:
A.11.1.1 - A.11.2.5: They seem to all be controls that would only be relevant in a physical environment where people would come in regularly & not one where there is not even a single office.
A.13.1.3: I'm not sure how segregated the network the standard wants for one that doesn't even require a network tech. I would consider sensitive folders being limited to specific privileged users, for example, being enough to satisfy this control for this context.
A.14.1.2 - A.14.1.3: I actually think both of these should be Applicable, but want to make sure. If users are allowed to connect from public networks & securely send sensitive emails, I think it makes sense to include them in the SOA. Confirmation from someone else here would be appreciated.
These are the controls I wanted to clarify the most. I'm sorry if I could've written this all out a little clearer & if these questions have already been answered. I tried searching for a list of controls that would normally be Not Applicable for a typical work from home company that doesn't really own any of their servers, but came up short. If there is already a good filtered list someone already has of typical Not Applicable controls for a SAAS environment like this that would be immensely appreciated. Thank you in advance, this community's always so helpful!
Assign topic to the user
Please select user.
Oct 19, 2022