BAU activities
I missed the live session but really enjoyed the recorded version. During the session, you mentioned that it is possible to ask from you directly. I have this project to get this company ISO 27001 certified, this is a small company in the *** with 3 employees in there, 2 developers in ***, and about 40-50 customer service agents in the ***. They are collecting medical records for lawyers and actually, the *** based team is carrying out the BAU work scanning the documents, etc. *** staff only do sales and management, so the operation is fully at a remote location. The persons there are not employees but like sole traders, using their own devices to access the company’s portal to manage the documents.
We want to save money to limit the certification to the US company, so the auditors won’t need to visit the Philippines, however, the ISMS scope needs to be the operation and management of the medical record collection and handling service.
I’m thinking to recommend to the client to handle the BAU activities as outsourced, and we will set the controls from A.15.
I would appreciate your input.
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
I'm assuming that by BAU you mean "Business as Usual".
Considering that, by the size of this company, it is easier to define that only the headquarters is in the ISMS scope, and treat all other locations as outsourced parties.
In this approach, you can treat the risks related to the remote locations by means of controls from section A.15.
These articles will provide you a further explanation about the scope definition and supplier management:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Jun 09, 2020