Please can you define what constitutes ‘data’ under the ISO27001 criteria? Data is everywhere. Is it just sensitive data that we need to capture within our ISMS scope? How do you define sensitive data within both the internal and external business context?
I know from Dejan’s webinars on ISMS scope, that we only need to have in scope where data is processed that is in our control. Not data that is processed that is out of our control.