Company allocated temporarily in another company
Assign topic to the user
We need more information about your scenario. What is the current scope? Anyway, it is not necessary to extend the scope, further if there are assets of another company, you can control them? If not, you also can not perform the risk assessment & treatment. So, I think that the best option here is that you maintain your scope and your inventory of assets.
For more information about the definition of the scope, please read this article How to define the ISMS scope : https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Anyway, in case there are assets his company is using that are not included in the scope, then they can treat this other company as a supplier.
Regarding to suppliers, I recommend you to read this article "6-step process for handling supplier security according to ISO 2700 1" : https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Any problem we have on the internet, printer or computers, communicate that company. We do not have a team that do this type of service. The help desk services are provided by this company. So I am very confused do not know if such equipment shall be considered as our assets, because we use them directly and should enter our scope or on the interfaces and dependencies. Any suggestion?
In this case, from my point of view, you can evaluate risk related to these assets in your risk assessment, but in the risk treatment you will need to transfer risks to this company, but for this, you need to make a contract with that company where the clauses reflect the identified risks.
Comment as guest or Sign in
Jan 12, 2016