Expert Advice Community

Guest

ISO 27001 questions - Conformio/Toolkit

  Quote
Guest
Guest user Created:   Feb 04, 2022 Last commented:   Feb 04, 2022

ISO 27001 questions - Conformio/Toolkit

I have some questions about the ISMS scope document from the toolkit. We own the servers in a data center that is owned by a third party, so what does it mean that the provider has control? Our customers purchase our service as SAAS but we on our side have suppliers who provide us the data center. These are the services we offer. The question is - does this mean that the provider who has control is the customer, us as the provider of the service or the third party service we use to rent the data center? How does this affect our risk matrix? We buy/rent our infrastructure so what asset should we include in the risk matrix?  What I understand is that we should mark ourselves as number 2 in this table. Am I correct? In that case, should we include the Datacenter as an asset of our organization or not, since this is something we rent? In that case this asset should not be included, is that correct? Should we also include storage media as an asset, considering the scope of our business? When thinking about assets "Internally developed software" and "servers"- should we consider all different products we are providing and servers we are using as separate assets, or can we write just general "Servers" or "Internally developed software" and that is enough? When thinking about "Operating system" as an asset - does this refer to the operating systems we use in our organization where we are running the server or does it refer to the operating systems our customers are using when downloading and using our service?

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Feb 04, 2022

We own the servers in a data center that is owned by a third party, so what does it mean that the provider has control? Our customers purchase our service as SAAS but we on our side have suppliers who provide us the data center.
The question is - does this mean that the provider who has control is the customer, us as the provider of the service or the third party service we use to rent the data center? How does this affect our risk matrix? We buy/rent our infrastructure so what asset should we include in the risk matrix?  What I understand is that we should mark ourselves as number 2 in this table.

Am I correct?

Considering that you are managing the servers in the data center, then your understanding is correct, you only need to include the servers, their software, and data in the ISMS. The physical location is out of scope.

The impact in the risk matrix is that any risk related to datacenter physical environment will be treated by transferring the risk to the provider (in general by including information security clauses in the contract or service agreement you have with them)

In that case, should we include the Datacenter as an asset of our organization or not, since this is something we rent?

In that case this asset should not be included, is that correct?

The data center needs to be considered in your risk assessment, but since the data center is out of the scope, it cannot be listed as an asset. In Conformio you need to list as a third-party service, something like  “colocation services” or "Renting the data center space" and use it in your risk assessment.

Should we also include storage media as an asset, considering the scope of our business.

In case the information you want to protect may be stored in such assets, and you have control over them at such a level you can implement and manage security measures, then you should consider them in the ISMS scope. Otherwise, you should keep them out of the scope. 

When thinking about assets "Internally developed software" and "servers"- should we consider all different products we are providing and servers we are using as separate assets, or can we write just general "Servers" or "Internally developed software" and that is enough?

The rule of thumb here is that if the assets share the same risks, then you can treat them as a single asset, like “servers”. In case specific assets have specific risks, you should treat them separately, like “development servers” and “production servers”.

For further information, see:

When thinking about "Operating system" as an asset - does this refer to the operating systems we use in our organization where we are running the server or does it refer to the operating systems our customers are using when downloading and using our service?

As for "Operating system" you need to consider any computers you have in the scope.

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Feb 04, 2022

Feb 04, 2022

Suggested Topics