I'm trying to figure out if certain controls should be listed as Not Applicable on an SOA for an organization that doesn't really manage their network in-depth as their users really just log into cloud-based services such as SharePoint & OneDrive remotely from home. To be clear, they do not have a need for anyone like a network engineer especially as they do not do anything like push patches to a production environment & simply do their due diligence on third-parties like Microsoft to make sure they are secure enough to communicate sensitive information. My question is whether the following should be Not Applicable:
A.11.1.1 - A.11.2.5: They seem to all be controls that would only be relevant in a physical environment where people would come in regularly & not one where there is not even a single office.
A.13.1.3: I'm not sure how segregated the network the standard wants for one that doesn't even require a network tech. I would consider sensitive folders being limited to specific privileged users, for example, being enough to satisfy this control for this context.
A.14.1.2 - A.14.1.3: I actually think both of these should be Applicable, but want to make sure. If users are allowed to connect from public networks & securely send sensitive emails, I think it makes sense to include them in the SOA. Confirmation from someone else here would be appreciated.
These are the controls I wanted to clarify the most. I'm sorry if I could've written this all out a little clearer & if these questions have already been answered. I tried searching for a list of controls that would normally be Not Applicable for a typical work from home company that doesn't really own any of their servers, but came up short. If there is already a good filtered list someone already has of typical Not Applicable controls for a SAAS environment like this that would be immensely appreciated. Thank you in advance, this community's always so helpful!