Number of not applicable controls in statement of applicability
Assign topic to the user
Yes, excluding 50% of controls is rather odd.
It is true that there is no mandatory number of controls, so theoretically you could include any number of controls. However, in practice, I have never seen a company which excluded e.g. backup, or malware protection, or business continuity controls. So the point is - most of the controls from Annex A are common sense, very difficult to find a reason to exclude them.
In other words, the criteria for selecting controls are not only risks or requirements from interested parties - it is also if you have good enough reason to exclude particular controls.
Comment as guest or Sign in
Jun 02, 2016