For any requirement statement marked as N/A, the Assessed Entity must provide a clear and concise rationale to support why the requirement statement is not applicable to the in-scope environment. The rationale should directly address the requirement statement and the current state of the in-scope environment. The following examples include acceptable N/A rationales for the corresponding situation:
| Requirement Statement | In-scope environment background | Rationale for N/A |
| 0302.09o2Organizational.1 The organization protects and controls media containing sensitive information during transport outside of controlled areas. |
The Assessed Entity does not maintain any portable media within its in-scope facilities. | Removable media devices are not used or permitted within the in-scope environment. Therefore, the organization will not have any media to protect nor transport. |
| 19243.06d1Organizational.15 The organization specifies where covered and/or confidential information can be stored. |
The Assessed Entity is a business associate and does not process, manage, or store covered or confidential information. | “XYZ” is a business associate, not a covered entity. It does not process, manage nor store any covered or confidential information. |
| 0504.09m2Organizational.5 Firewalls are configured to deny or control any traffic from a wireless environment into the covered and/or confidential data environment. |
The Assessed Entity has no wireless access points within the in-scope environment. | “XYZ” does not have or utilize any wireless access points within the in-scope environment. |
| 1699.09l1Organizational.10 Workforce members roles and responsibilities in the data backup process for Bring Your Own Device (BYOD) are identified and communicated to the workforce; in particular, users are required to perform backups of organizational and/or client data on their BYOD devices. |
The Assessed Entity does not allow the use of any personal devices within the in-scope environment, so there are no BYOD devices. | “XYZ” does not permit any personal devices within the in-scope environment. |
| 19165.07e1Organizational.13 The organization physically and/or electronically labels and handles sensitive information commensurate with the risk of the information or document. Labeling reflects the classification according to the rules in the information classification policy. |
The Assessed Entity does not manage or store sensitive information within the in-scope environment. | “XYZ” does not manage or store any sensitive information within the in-scope environment. |