Third-Parties
7.3.1 - “For i1 and e1 assessments, third-parties relevant to the in-scope environment may be excluded from testing (i.e., carved-out). In order to exclude the third-party:” - why is exclusion allowed and documentation of N/A allowed as there is still third-party risk? Why not utilize inheritance or a SOC 2 report, or other compensating controls or testing?
1
vote
Emily
shared this idea