Applicability of ISO 27001 procedures in scope with multiple departments
Assign topic to the user
This questions stems from the fact that many of our existing documentation such as standards and procedures have been written up that gives the reader the impression that the controls mentioned in these documents are minimum requirements that are to be applied to all in-scope-units; whereas, in the first instance the control would have been chosen as an answer to one unit's risk.
Answer:
You should decide on your own whether your documents (e.g. policies, procedures, etc.) will apply to your whole organ ization, to your whole ISMS scope, or only to a particular organizational unit. However, when writing your documents, then you have to specify clearly to which organizational units they apply to; you can also specify this information in the Statement of Applicability.
This article can also help you: How to define the ISMS scope https://advisera.com/27001academy/blog/2014/10/13/how-to-define-the-isms-scope/
2. Can or should the scope document be reviewed periodically?
Answer:
ISMS scope document should be definitely reviewed periodically, typically this is once a year, before you start doing the risk assessment.
Comment as guest or Sign in
Jan 12, 2016