Defining Scope
1. How to define Scope
2. Can we say that a company is certified if it is just a part that meets the standards?
3. A company that builds an IT solution. Can we make a difference between its business infrastructure and the product infrastructure?
Assign topic to the user
1. How to define Scope
You need to identify in which part of your company is your most valuable information. You can start this by identifying which information is important for your organization to achieve its objectives and be compliant with applicable legal requirements (e.g., laws, regulations, and contracts)
Generally speaking, for a company of up to 100 employees, the best option is to include the whole company in the scope.
These articles will help you:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- Problems with defining the scope in ISO 27001 https://advisera.com/27001academy/blog/2010/06/29/problems-with-defining-the-scope-in-iso-27001/
2. Can we say that a company is certified if it is just a part that meets the standards?
You need to check the specific procedures on how to communicate the certification status to external parties with the certification body, but generally speaking, wherever you display information about the certification status you also need to provide information for people to verify the certification scope (e.g., the certification number, a link to a copy of the certification, etc.).
3. A company that builds an IT solution. Can we make a difference between its business infrastructure and the product infrastructure?
You can define the ISMS scope considering only specific parts of your organization, but in general, this is worthy only for bigger organizations.
Comment as guest or Sign in
May 29, 2020