Specifying excluded controls as exclusions in the ISMS Scope document
Assign topic to the user
ISMS scope document can only exclude certain departments, processes, locations or assets of your organization. However, for those departments/processes/locations/assets that remain within the scope, you cannot exclude the controls in this phase - the decision whether to apply or exclude controls can be made only after the risk assessment & treatment is finished.
The point is - the controls can be excluded only if there are no risks which would require such controls. Read more here: ISO 27001 risk assessment & treatment 6 basic steps
Comment as guest or Sign in
Jan 12, 2016