Having implemented ISO 27001 Information Security Management Systems, and spoken to others who have, there is a group of controls from Annex A that seems to be regularly excluded.
A10.9 Electronic Commerce Services, has the objective “To ensure the security of electronic commerce services and their secure use“.
This is further broken down to:
A10.9.1 Electronic Commerce.
A10.9.2 Online Transactions.
A10.9.3 Publicly Available Information.
At face value these seem justified exclusions, as many businesses don’t run an online shop or accept online payments.
However, an online search to define “electronic commerce” soon expands the potential scope of this control:
webopedia.com writes “Often referred to as simply e-commerce, business that is conducted over the Internet using any of the applications that rely on the Internet, such as e-mail, instant messaging, shopping carts, Web services, UDDI, FTP, and EDI, among others.”
We could then find all three of these controls applicable, by asking questions such as:
Do we conduct business using the Internet? Do we ever make purchases online? Can our customers submit information using the contact form on our website? Is our website protected from unauthorised modification? Who maintains our website?
Would you still feel comfortable excluding these controls?
Many certification bodies will, and should, accept your interpretation of the standard. Although this may achieve certification – are you sure it reduces your expose to risk as much as it could?