Guest user Created: Mar 22, 2018 Last commented: Mar 22, 2018

Scope definition

I'm a student working on a project. In this project we need to make the company pre-audit ready. I'm having a hard time with the scope of the ISMS - interfaces.

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Mar 22, 2018

This is how i did it:
I made a list of items that the company uses, like routers firewall switches etc.
I made a list of software that they use that inputs and outputs sensitive information.
And I made a list of external parties that inputs and outputs sensitive information.

My questions are:

1 - Do i need to descibe which department in the company makes use of this software?

Answer: First it is important to note that an ISO 27001 scope is defined in terms of locations, organizational units and/or information the ISMS is supposed to protect. Considering that, your first two lists refer to assets that are included in your scope, and your last list presents elements that interface with your ISMS. These are important things, but they do not define your scope, so it is necessary for you to define at least the department in the company that uses these software and the i nformation that is handled.

2 - Do I have to mention all external parties that are out of scope in the chapter out of scope?

Answer: Following the first answer, external parties do not need to be included in the scope statement, either if they interface with the ISMS or not.

3 - Did I miss something in the chapter interfaces?

Answer: Maybe you should consider the identification of the processes that make use of the software you identified and are used by the external parties to input and output information.

These articles will provide you further explanation about defining scope:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

These materials will also help you regarding defining scope:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 22, 2018

Expert Advice Community