Expert Advice Community

Not Applicable Controls for SAAS Environment

  Quote
suoira Created:   Oct 14, 2022 Last commented:   Oct 19, 2022

Not Applicable Controls for SAAS Environment

I'm trying to figure out if certain controls should be listed as Not Applicable on an SOA for an organization that doesn't really manage their network in-depth as their users really just log into cloud-based services such as SharePoint & OneDrive remotely from home. To be clear, they do not have a need for anyone like a network engineer especially as they do not do anything like push patches to a production environment & simply do their due diligence on third-parties like Microsoft to make sure they are secure enough to communicate sensitive information. My question is whether the following should be Not Applicable:

A.11.1.1 - A.11.2.5: They seem to all be controls that would only be relevant in a physical environment where people would come in regularly & not one where there is not even a single office.

A.13.1.3: I'm not sure how segregated the network the standard wants for one that doesn't even require a network tech. I would consider sensitive folders being limited to specific privileged users, for example, being enough to satisfy this control for this context.

A.14.1.2 - A.14.1.3: I actually think both of these should be Applicable, but want to make sure. If users are allowed to connect from public networks & securely send sensitive emails, I think it makes sense to include them in the SOA. Confirmation from someone else here would be appreciated.

These are the controls I wanted to clarify the most. I'm sorry if I could've written this all out a little clearer & if these questions have already been answered. I tried searching for a list of controls that would normally be Not Applicable for a typical work from home company that doesn't really own any of their servers, but came up short.  If there is already a good filtered list someone already has of typical Not Applicable controls for a SAAS environment like this that would be immensely appreciated. Thank you in advance, this community's always so helpful!

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 19, 2022

Please note that the SoA needs to be developed based on the results of risk assessment and applicable legal requirements (i.e., laws, regulations, and contracts).

In case you do not have a risk relevant enough that justifies the implementation of control, then you do not need to implement it (i.e., state it as applicable in the SoA). 

The same applies to legal requirements. In case you do not have a law, regulation, or contract that justifies the implementation of control, then you do not need to implement it. 

For further information, see:

To see examples of applicable controls based on risk assessment, please, see:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 14, 2022

Oct 19, 2022