How do I mark a control as Out of Scope?

When considering whether a control is relevant to your company or not, it is always important to understand why the control has been included in the Framework. Some frameworks such as SOC2 include controls that are completely optional and can be removed from the scope of your certification at your design,  whilst other frameworks such is ISO 27001: 2022 require you to assess all controls and determine whether or not they are applicable to your business.

ISO 27001: 2022

Some controls may not be relevant to your company because your company does not for example,  outsource development, or have an office. However, most of the controls are written in a way that they cannot be put put of scope. All controls should be assessed and clear justification given as to why a control is out of scope. 

How do I mark a control out of scope?

In order to mark a control as out of scope go to Frameworks > Controls.

Open a control by clicking on it and scroll down to Settings (or click on the Settings tab at the top). Click the Mark Out of Scope button.

A right hand-side menu will appear. Enter the reason for exclusion.

Review the impact of excluding your control, check the box and confirm.

The Out of Scope controls can be found by selecting the corresponding filter. It can be either done at the top or in the left-hand side.