ISO 27001 corporate vs business functions
I wonder whether you could advise me, We are planning to have a ISO27001 assessment but assessment team is planning to audit the Business function assets as well. However as far as I know ISO27001 is dealing with Corporate functions only (workplace, HR, IT, Procurement...). Could you let me know whether my understanding is correct? Is there any article already written on this please?
Assign topic to the user
I’m assuming that by business functions you mean activities related to the organization’s core business, while for corporate functions you mean supporting activities.
Considering that, please note that ISO 27001 aims to protect any kind of information, and depending on the defined scope, the information can be either related to Business functions as well as to Corporate functions. So, you need to clarify first with your assessment team which information, processes, and/or locations will be part of your ISMS to verify which functions need to be assessed.
These articles will provide you a further explanation about ISMS scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you regarding ISMS scope:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
Comment as guest or Sign in
Jan 16, 2021