Please can you define what constitutes ‘data’ under the ISO27001 criteria? Data is everywhere. Is it just sensitive data that we need to capture within our ISMS scope? How do you define sensitive data within both the internal and external business context?
I know from Dejan’s webinars on ISMS scope, that we only need to have in scope where data is processed that is in our control. Not data that is processed that is out of our control.
Assign topic to the user
1 - Please can you define what constitutes ‘data’ under the ISO27001 criteria?
Answer: Please note that ISO 27001 does not have a definition for "data", mostly because its purpose is to protect the information, and as strange as it seems, it does not have a definition for "information" either.
However, ISO/IEC 2382, which defines Information Technology vocabulary can provide some help. Broadly speaking:
- information refers to facts, events, things, processes, or ideas, including concepts, that has a particular meaning in a given context
- data refers to a representation of information in a way suitable for communication, interpretation, or processing
2 - Data is everywhere. Is it just sensitive data that we need to capture within our ISMS scope?
Answer: First is important to note that the focus of ISO 27001 is information, which goes beyond data. Considering that, you definitely need to capture sensitive information within your ISMS scope, but what happens in some cases, especially in small and medium organizations, is that the effort to include only sensitive data, and separate them from the other information, is not worthy, then is more practical to include all organization's information in the ISMS scope.
For further information, see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
3 - How do you define sensitive data within both the internal and external business context?
I know from Dejan’s webinars on ISMS scope, that we only need to have in scope where data is processed that is in our control. Not data that is processed that is out of our control.
Answer: First is important to note that for ISO 27001 the impact on confidentiality, integrity or availability is what makes data sensitive.
Considerint that, information sensitivity will depend on how the impact on these elements affects the objectives defined for the ISMS and applicable legal requirements.
For example, if the objective is to protect a system provided to customers, the system's source code is sensitive information. In case GDPR is applicable to your organization, then European citizens' data are sensitive information.
For further information, see:
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Sep 11, 2020