Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:

Expert Advice Community

27001 Scope Confusion

SHUHARI Created:   Nov 23, 2019 Last commented:   Nov 26, 2019

27001 Scope Confusion

Our company is doing a product-specific scope for ISO27001.  It's not clear to me how complex this will get to carve out the scope of the product when dealing with internal Shared services.

For example, Corporate IT manage the laptops, office networking, and e-mail accounts of the engineers/administrators of the product.  But has no access to the network/servers of the product itself.  Compromise of their office networking, laptops, or corporate account may influence the security of the information/system in scope (stealing credentials, exploitation of trust, etc).  I know this depends on the auditor, but is it reasonable to state corporate IT process/procedures out of scope but still a dependancy?

Dialing this back though, nobody involved has a formal ISMS, nor a proper framework for policy/procedures/controls.

Assign topic to the user


Step-by-step implementation for smaller companies.


Step-by-step implementation for smaller companies.

Rhand Leal Nov 26, 2019

First is important to note that products cannot be certified against ISO 27001. Processes and services which supports a product can be certified.

Considering that, since information related to the product flows through IT assets and the access to the product itself is provided by Corporate IT, Corporate IT process should be considered part of the scope, not a dependency.

This article will provide you further explanation about defining scope:
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 23, 2019

Nov 26, 2019