I saw this great post today that made me laugh myself to tears:
"AWS Security Hub now allows you to disable controls for compliance standards!"
Pesky security controls? Just click, click, the author said and they will be gone! No need to worry about them being in your audit scope. Believe it or not this is a "feature" they are selling to their customers 😞
If the controls shouldn't be in scope based on the risk analysis, then they should be able to be disabled. Different systems require different controls. Sometimes more, sometimes less, than the generally accepted best practices in whatever compliance standard you are measuring against. If a control costs you more than the value of the asset it protects, get rid of it, period. Only your business can make that determination, then, of course, you ave to prove it to the auditor.