This article outlines the procedure for marking a control as out of scope.
When considering whether a control is relevant to your company or not, it is always important to understand why the control has been included in the Framework. Some frameworks such as SOC2 include controls that are completely optional and can be removed from the scope of your certification at your design, whilst other frameworks such is ISO 27001: 2022 require you to assess all controls and determine whether or not they are applicable to your business.
ISO 27001: 2022
Some controls may not be relevant to your company because your company does not for example, outsource development, or have an office. However, most of the controls are written in a way that they cannot be put put of scope. All controls should be assessed and clear justification given as to why a control is out of scope.
How do I mark a control out of scope?
In order to mark a control as out of scope you need to access the control via the controls dial on the Selected framework on the Frameworks page.
Select the control row on the main page, click on the three dots (meatball menu) on the right hand-side, and select 'Not applicable'
A right hand-sde window will appear. Enter the 'Reason for exclusion'
The control will then move to the bottom of the page in the section 'Controls that have been marked as not applicable'.