Guest user Created: Jan 12, 2016 Last commented: Jan 12, 2016

Confining a registrar to the scope that has been defined

How does one go about confining a registrar during the audit to the scope that has been defined? Ive experienced an auditor who seems to be attempting to expand ISMS scope beyond the internally agreed upon scope. We are limiting scope of the ISMS to the ***; nothing more nothing less.

0 0

Assign topic to the user

Select user

Guest

DejanK Jan 12, 2016

I realize the ISMS can be a system that covers more than just security operations, but for initial purposes the *** and ISMS are defined as one and the same. The definition will change over time as scope increases. Just curious.

Answer:

Just because you have defined a certain ISMS scope does not mean such scope is feasible - for example, if there are no clear boundaries for such a scope, then you would have to expand the scope.

Therefore, if your scope is not feasible you should listen to the certification auditor; if your scope is feasible then you have to prove to certification auditor why do you think so. Generally, the recommendation is that the information security should cover the entire organization.

These articles can also help you:

How to de fine the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jan 12, 2016

Expert Advice Community