Specifying excluded controls as exclusions in the ISMS Scope document
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISMS scope document can only exclude certain departments, processes, locations or assets of your organization. However, for those departments/processes/locations/assets that remain within the scope, you cannot exclude the controls in this phase - the decision whether to apply or exclude controls can be made only after the risk assessment & treatment is finished.
The point is - the controls can be excluded only if there are no risks which would require such controls. Read more here: ISO 27001 risk assessment & treatment 6 basic steps
Comment as guest or Sign in
Jan 12, 2016