Expert Advice Community

Guest

Defining an ISMS scope

  Quote
Guest
Guest user Created:   Mar 23, 2021 Last commented:   Apr 24, 2021

Defining an ISMS scope

A client wishes to become ISO 27001 certified. My company is a very small ICT firm working in the same building and on the same network as this client (same ip-scope). How should I define their scope?

0 0

Assign topic to the user

Assign

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Mar 23, 2021

Please note that an ISO 27001 ISMS scope is defined in terms of information, processes, or locations to be protected.

Considering that, you can try to define the customer scope in terms of the locations in the building it occupies (e.g., which floors or offices). Regarding the network, you need to identify how the IP range used by the customer is separated from other IP ranges you provide (e.g., by using VPN, by having its own device, etc.).

To see how an ISMS scope compliant with ISO 27001 looks like, please access the free demo of our ISMS Scope Document at this link: https://advisera.com/27001academy/01academy/emy/ademy/my/documentation/isms-scope-document/

These articles will provide you a further explanation about scope definition:

These materials will also help you :

Quote
0 1
Sameer Rao Apr 22, 2021

I am confused on what the Organizational Units would be, we are a software company. Processess and Services, would be what we provide to customers?

Quote
0 0
Expert
Rhand Leal Apr 24, 2021

Considering that, if you are a small organization, it is best to define the whole organization as part of the ISMS scope (so in terms of Organizational Units you can state that all organization is part of the scope). If you include only one part of your organization, then under the 'Organizational Units' you list only your departments that will be included in the scope.

Regarding processes and services, these would be related to the information you want to protect. For example, if you want to protect customer financial data, then the financial processes and services would be included in the scope. In case it is the software you provide to the customer, then you should consider the development and operation processes related to the software (ISO 27001 cannot be used to certify products and services).

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Mar 23, 2021

Apr 24, 2021

Suggested Topics