Information Security Aspects of Business Continuity
Applicability of ISO 27001 procedures in scope with multiple departments
1. If there are, say, 2 business units A & B in the isms scope. On risk assessment it was found that A requires a specific control to mitigate a specific risk (e.g. backup of its systems to maintain business operations in the event of a disaster). So a standard or policy has been written up that states that requirement. But, the standard or policy states the scope is the scope defined in the scope document. And scope document says both A & B are included. So the question is, does that control requirement apply to only A or all units?