How much of Partial scope is permitted?
Assign topic to the user
Rakesh,
If I understood well, only your items #2 and #4 contain questions, so here are the answers:
2) Yes, it is allowed to restrict ISMS scope to IT services only and to exclude the network.
4) Theoretically, the company could agree with the certification body that the certification scope is narrower then the ISMS scope - however, such an arrangement is extremely rare, and it brings numerous problems (e.g. to which scope do the controls from the Statement of Applicability apply). The certification auditor does not audit external parties - the auditor must check how an organization manages the security of information related to third parties.
In any case, setting the scope which is smaller than the whole organization creates numerous problems, and it should be avoided - the best would be to have the ISMS scope that covers the whole organization. See also: Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
Thankyou Sir. Is it true that, With the change of scope, the interested parties (External and internal) and the issues (external and internal) will also change. If yes, should we fix the scope first (clause 4.3) or the interested parties and the issues (4.1 and 4.2)
You should identify the interested parties and the issues first, because interested parties may directly influence the scope itself - e.g. some of the government agencies may require you to implement ISMS in your whole company.
See also this article: How to identify interested parties according to ISO 27001 and ISO 22301 https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Comment as guest or Sign in
Jan 12, 2016