- Two-factor authentication (2FA) - Not stipulated
- Access control for any accounts that store sensitive information - Access control policy is required
- End-to-end encryption - Not stipulated
- Training staff in data protection awareness, and a data privacy policy - Training policy is required
For the controls not stipulated in the standard (e.g. 2FA, E2E encryption), you may find you ultimately need them once you do an information risk assessment. As long as you explain clearly why the risk is not significant enough to require it or have good alternate controls, you won't get dinged by the auditor for not having these.
- Two-factor authentication (2FA) - Not stipulated - Access control for any accounts that store sensitive information - Access control policy is required - End-to-end encryption - Not stipulated - Training staff in data protection awareness, and a data privacy policy - Training policy is required
For the controls not stipulated in the standard (e.g. 2FA, E2E encryption), you may find you ultimately need them once you do an information risk assessment. As long as you explain clearly why the risk is not significant enough to require it or have good alternate controls, you won't get dinged by the auditor for not having these.