I am curious to know about the coverage of all controls during the external audit. To one of my question, you said that only the controls which are applicable can be considered.
So, my next question is I am working for an IT Software company and Can I skip any or all the following controls:
A 6.2 Mobile devices and teleworking
A 7: Human resources security
A 8: Asset Management
A9 : Access control
A 10 : Cryptography
A 11. Physical and environment security
Please advise. I would like to know:
a. What are the criteria for selecting a control?
b. What all are the mandatory controls (a must control) which the external auditor would like to see for certifying the company?
My understanding is that all the controls are applicable to all the industries, companies etc. Hence the question.