If the business is implementing ISO 27001 and their all servers, and assets are on the cloud only except a few laptops, and ISMS scope is all services provided by their business in which cloud servers are being used, so my understanding says cloud servers will also be a part of the scope in assets list for the ISMS audit. Business is assuming cloud servers should not be in the scope as they are not going with ISO 27017 certification which is focusing on cloud security.., my own opinion is cloud assets would be part of the scope and they should be part of the ISMS audit. Please confirm your opinion.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 is a cybersecurity standard that contains some controls (safeguards) for the cloud, so most companies do include cloud assets in the scope when implementing this standard. In other words, if you have sensitive data in the cloud, it makes sense to include your cloud environment in the scope even if you do not go for ISO 27017.
ISO 27017 provides you with some extra controls for the cloud environment, but this does not mean that the cloud environment should be excluded if you do not go for this standard.
See also:
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- ISO 27001 vs. ISO 27017 – Information security controls for cloud services https://advisera.com/27001academy/blog/2015/11/30/iso-27001-vs-iso-27017-information-security-controls-for-cloud-services/
Comment as guest or Sign in
Dec 06, 2022