Expert Advice Community

Guest

27001 ISMS Scope Question

  Quote
Guest
Guest user Created:   Mar 10, 2021 Last commented:   Mar 10, 2021

27001 ISMS Scope Question

Hi,

Are you able to help clarify our ISMS scope please? We have just started this process and I want to make sure I understand properly.

Question 1 Scope - Processes and Services

We are an IT company that has 2 cloud-based applications which we own, build and license to our customers. We are responsible for the data in these two systems and they are the reason we are undertaking the 27001 certification. So these two applications are obviously included in the Processes and Services part of our scope.

We also use multiple other cloud based services that contain our customer data including ***, ***, ***, ***, etc.

Am I right in saying that these third party systems can be excluded from our scope because it is the responsibility of the third parties (like ***) to secure the data we store in these systems?

Therefore, is it valid to say that the full extent of our Processes and Services scope should be our 2 applications?

 

Question 2 - IT Networks and Infrastructure

Our applications live in an ***. I've read your article on defining the scope with cloud servers. I think we're number 4 in that list. That is: The organization uses a third-party platform (public PaaS). 

2.1 - So in scope would be our two applications and the data within them but all Networks and Infrastructure are out of scope?

2.2. - Have I overlooked something here? Is it valid to limit the scope to the applications we own/build/license to our customers?

2. 3 - Thanks for your help. Please also confirm which email address we should address our questions to.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 10, 2021

Question 1 Scope - Processes and Services

We are an IT company that has 2 cloud-based applications which we own, build and license to our customers. We are responsible for the data in these two systems and they are the reason we are undertaking the 27001 certification. So these two applications are obviously included in the Processes and Services part of our scope.

We also use multiple other cloud based services that contain our customer data including ***, ***, ***, ***, etc.

Am I right in saying that these third party systems can be excluded from our scope because it is the responsibility of the third parties (like ***) to secure the data we store in these systems?

Therefore, is it valid to say that the full extent of our Processes and Services scope should be our 2 applications?

Answer: First is important to note that an ISMS scope compliant with ISO 27001 cannot be defined in terms of systems and technologies. It must be defined in terms of information, processes, or locations to be protected.

Since you want to focus on the applications, you should consider for the scope the development, operation and maintenance processes related to these applications.

Considering that, you can include in the scope only the elements you control.

About third parties, you can exclude third party systems from your scope (e.g., when using cloud servers, you exclude the physical server of the cloud provider). 

These materials will help you regarding scope definition:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/ 
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

Question 2 - IT Networks and Infrastructure

Our applications live in an ***. I've read your article on defining the scope with cloud servers. I think we're number 4 in that list. That is: The organization uses a third-party platform (public PaaS). 

2.1 - So in scope would be our two applications and the data within them but all Networks and Infrastructure are out of scope?

Answer: Your assumption is correct (Networks and Infrastructure are out of scope), but please note that the scope definition must be made in terms of the data or processes to be protected, so statement about your scope should be something like:

“The scope are the development, operation and maintenance processes of applications XXX in our PaaS environment”.

“The scope is the data stored and processed by applications XXXX in our PaaS environment”.

2.2. - Have I overlooked something here? Is it valid to limit the scope to the applications we own/build/license to our customers?

Answer: First is important to note that you cannot define the ISMS scope in terms of applications. In this case, you need to define the scope in terms of the process to maintain and operate the applications.

Considering that, you can limit the ISMS scope to only part of your organization, but you need to verify first if the effort to implement this separation is worthy (for small organizations up to 50 employees, defining the ISMS scope as the whole organization is more practical).

This article will provide you a further explanation about scope definition:
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

2. 3 - Thanks for your help. Please also confirm which email address we should address our questions to.

Answer: In the future, if you want to contact us you can use this e-mail: support@advisera.com

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 10, 2021

Mar 10, 2021