If you are not involved in any kind of implementation of information systems, and if you have no associated risks, then you can define this control as non applicable in the Statement of Applicability. In such a way, you don't have to apply this control at all.
As my understanding this policy will be applied on some of our internal website tools those we developed by our-self and use for internal purpose only. How about systems those we do not develop but purchase and implemented it, such as: Exchange server, Antivirus server, File server, etc.? should we apply this policy?