Defining an ISMS scope
A client wishes to become ISO 27001 certified. My company is a very small ICT firm working in the same building and on the same network as this client (same ip-scope). How should I define their scope?
Assign topic to the user
Please note that an ISO 27001 ISMS scope is defined in terms of information, processes, or locations to be protected.
Considering that, you can try to define the customer scope in terms of the locations in the building it occupies (e.g., which floors or offices). Regarding the network, you need to identify how the IP range used by the customer is separated from other IP ranges you provide (e.g., by using VPN, by having its own device, etc.).
To see how an ISMS scope compliant with ISO 27001 looks like, please access the free demo of our ISMS Scope Document at this link: https://advisera.com/27001academy/documentation/isms-scope-document/
These articles will provide you a further explanation about scope definition:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
These materials will also help you :
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
I am confused on what the Organizational Units would be, we are a software company. Processess and Services, would be what we provide to customers?
Considering that, if you are a small organization, it is best to define the whole organization as part of the ISMS scope (so in terms of Organizational Units you can state that all organization is part of the scope). If you include only one part of your organization, then under the 'Organizational Units' you list only your departments that will be included in the scope.
Regarding processes and services, these would be related to the information you want to protect. For example, if you want to protect customer financial data, then the financial processes and services would be included in the scope. In case it is the software you provide to the customer, then you should consider the development and operation processes related to the software (ISO 27001 cannot be used to certify products and services).
Comment as guest or Sign in
Apr 24, 2021