Context and scope of the ISMS / ISO 27001 v 2013
Assign topic to the user
Hi Afef
ISO 27001:2005 (Clause 4.2.1.a) clearly describes the scope. If you keep it its good.
ISO 27001:2013 looks differently at the issue and adds to it.
Clause 4.3 (new) is the same as Clause 4.2.1 a (old) and adds 4.1 and 4.2.
So, as you proposes, keep old scope and add to it.
There is however in ISO 27001 no explanation n what it means, except the reference to ISO 31000:2009 clause 5.3.
Short explanation:
4.1 Requires you to continually analyse the context (social, cultural, political, legal, financial, technological and market) of your organisation to make sure you take all elements in consideration to tailor your scope to your real macro needs.
4.2 Requires you to understand and integrate the (security) expectations of the parties that may be 1) Internal: regulators, stakeholders, suppliers, partners, clients and 2) internal: asset owners, CIO and IT department, decision makers, users, etc.
These posts on the blog can also help you
"Explanation of ISO 27001:2013 clause 4.1 (Understanding the organization)" : https://advisera.com/27001academy/knowledgebase/how-to-define-context-of-the-organization-according-to-iso-27001/
"Problems with defining the scope in ISO 27001: https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
How to identify interested parties according to ISO 27001 and ISO 22301: https://advisera.com/27001academy/knowledgebase/how-to-identify-interested-parties-according-to-iso-27001-and-iso-22301//
Risk owners vs. asset owners in ISO 27001:2013: https://advisera.com/27001academy/knowledgebase/risk-owners-vs-asset-owners-in-iso-270012013/
It has to determine its needs and expectations and those of interested parties and decide the scope of the ISMS.
So we would suggest you avoid the risk analysis or any deep consideration of what if at this stage and concentrate on identifying the issues. Personal data, sensitive customer ideas and IPR, financial information, brand, codebases etc? Therefore consider any existing issues of: recruitment e.g.
Comment as guest or Sign in
Jan 24, 2022