Defining the Scope
I would like to start off with a scope that includes the information stored in our datacenters.
But, when I look at the ISO 27001 standard, it states quite clearly that;
When determining the scope, the organization shall consider;
a) the external and internal issues referred to 4.1 (Understanding the organization and its context)
b) the requirements referred to in 4.2 (Understanding the needs and expectations of interested parties)
c) interfaces and dependencies between activities performed by the organization and those that are performed by other organizations.
I refer in particular to point c). We use 3rd party suppliers, some of whom process our client data (which is stored in our datacenter), and I was wondering that if I only include the information that is stored in our datacenter in the scope, and if I don’t include 3rd parties in the scope, will the ISMS fail the audit. Or is it simply enough to say that we have controls and polices in place around the data that is stored in our data center and these controls pertain to 3rd parties and who process some of that data that resides in our datacenter.
Assign topic to the user
You can define the scope of your ISMS as the data in the data center, but you need to state in the scope that this data is accessed by third-party, so this information can be used in the risk assessment and risk treatment process (from there you can define how to treat risks related to third-party accessing the data, normally by means of security clauses in contracts, agreements or terms of service).
These articles will provide you a further explanation about the scope definition supplier security:
- How to define the ISMS scope https://advisera.com/27001academy/knowledgebase/how-to-define-the-isms-scope/
- 6-step process for handling supplier security according to ISO 27001 https://advisera.com/27001academy/blog/2014/06/30/6-step-process-for-handling-supplier-security-according-to-iso-27001/
Comment as guest or Sign in
Aug 14, 2020