Out of scope domains occur when a supplier answers “No” to the scoping question for that domain. For example, the scoping question for section G is: "Does your organisation rely upon any physical premises, such as offices, warehouses or data centres?" If the supplier replies with “No”, the domain is scoped out as N/A therefore they do not need to answer the control questions within that domain.

If a policy requires a control question within a domain to be answered Yes/No, but the domain is out of scope for the supplier, this will show the control as non-compliant since the answer is N/A. We show these as non-compliant controls to err on the side of caution for the client to double check.

To apply an exemption, navigate to the control that is non-compliant and select the "Apply Exemption" button if appropriate:

You can also apply exemptions in bulk if you wish - there is a check box on the top left of each domain which you can tick before selecting the 'Apply to selected' button on the top right of the page:

If a parent question is answered with “No” the child question is marked as N/A due to the answer provided to the parent question.

For example, D26 and D23 are both parent Qs. The child question’s answer is non-applicable but shown as non-compliant. Our logic in the system shows that as soon as the answer is not what the policy requirement wants, it is non-compliant regardless of whether it is N/A or not.

The solution in this case would be to apply an exemption to the child question that is showing as non-compliant.

If you think a supplier should have answered a domain and that using an exemption is not appropriate, you can start a Discussion with the supplier pointing against the scoping question and asking them to change their answer - this will bring the domain into scope.

You can read more about Discussions here.