Removing the lower level nested Requirement Statements from an assessment
When you have a level 3 Requirement statement, can the level 1 and level 2 requirement statement for that same control be removed from the assessment? This would remove redundancy, by not having to ask the business for evidence at each level because it would be inclusive in the level 3. This would also lower the number of overall baselines while still covering the control.
Great suggestion. This is actually on the slate to be addressed in v10 of the CSF.
Brian Scheuber commented
Agree that higher level requirements should be assumed to include the expectations of lower level requirements. So eliminating the redundancy would be a time saver while still addressing the expected levels of compliance.