Expert Advice Community

Guest

Defining ISMS scope and access profiles

  Quote
Guest
Guest user Created:   Sep 06, 2019 Last commented:   Sep 06, 2019

Defining ISMS scope and access profiles

Antes de plantearle una duda que tengo les pongo en situación: Mi empresa realizó previamente un análisis de riesgos por el que tenemos dicho análisis y la declaración de aplicabilidad (aplica todo), para avanzar en el objetivo de conseguir la certificación ISO 27001 se incorporó en nuestra compañía una responsable de cumplimiento legal y se ha puesto al frente para conseguir esta certificación, analizó los datos comentados antes y nos solicitó a IT las políticas de seguridad (este es el motivo de la adquisición de las plantillas: la creación de nuestras políticas en base a estas plantillas)
0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Sep 06, 2019

Bien, en nuestra empresa tenemos aplicaciones propias y externas alojadas en nuestro CPD, pero también utilizamos otras como servicios en la nube, mi duda es ¿Estas aplicaciones en la nube utilizadas como servicios entran dentro del alcance del SGSI? Yo creo que sí porque están involucradas en los procesos de la compañía pero necesito de su opinión.

Otra duda: en la política de control de acceso en el apartado 3 ustedes han establecido en la planti lla perfiles de usuario y derechos:

¿Estos sistemas son todas y cada una de las aplicaciones dentro del alcance del SGSI o son procesos (donde puede haber más de una aplicación que se use)?

(Before I ask you a question, I put you in a situation: My company previously carried out a risk analysis for which we have said analysis and the declaration of applicability (apply everything), to advance in the objective of obtaining the ISO 27001 certification, it was incorporated into Our company a responsible for legal compliance and has taken the lead to achieve this certification, analyzed the data mentioned above and asked IT for security policies (this is the reason for the acquisition of the templates: the creation of our policies in base to these templates)

1 - Well, in our company we have our own and external applications hosted in our CPD, but we also use others as cloud services, my question is: Are these cloud applications used as services within the scope of the ISMS? I think so because they are involved in the company's processes but I need your opinion.

Answer:

If these cloud applications store or process information you want the ISMS to protect, then you have to include them in the ISMS scope.

For further information, please see:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Defining the ISMS scope if the servers are in the cloud https://advisera.com/27001academy/blog/2017/05/22/defining-the-isms-scope-if-the-servers-are-in-the-cloud/
- How to set the ISMS scope according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/how-to-set-the-isms-scope-according-to-iso-27001-free-webinar-on-demand/

2 - Another question: in the access control policy in section 3 you have established in the template user profiles and rights: Are these systems each and every application within the scope of the ISMS or are they processes (where there may be more than one application used)?)

Answer:

The access profiles refer not only to systems, but also to networks, and facilities, included in the ISMS scope. Please note that you should consider each profile covering as much elements as possible so you do not finish with a great number of profiles to manage.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 06, 2019

Sep 06, 2019

Suggested Topics

Guest user Created:   Sep 14, 2021 ISO 27001 & 22301
Replies: 1
0 0

Scope in Conformio

Guest user Created:   Jul 17, 2021 ISO 27001 & 22301
Replies: 1
0 0

Scope definition